core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/internal/cmd/updater/service.go
Snider f47e8211fb feat(mcp): add workspace root validation to prevent path traversal (#100) 
* feat(mcp): add workspace root validation to prevent path traversal

- Add workspaceRoot field to Service for restricting file operations
- Add WithWorkspaceRoot() option for configuring the workspace directory
- Add validatePath() helper to check paths are within workspace
- Apply validation to all file operation handlers
- Default to current working directory for security
- Add comprehensive tests for path validation

Closes #82

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: move CLI commands from pkg/ to internal/cmd/

- Move 18 CLI command packages to internal/cmd/ (not externally importable)
- Keep 16 library packages in pkg/ (externally importable)
- Update all import paths throughout codebase
- Cleaner separation between CLI logic and reusable libraries

CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor,
php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace

Libraries remaining: agentic, build, cache, cli, container, devops,
errors, framework, git, i18n, io, log, mcp, process, release, repos

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor(mcp): use pkg/io Medium for sandboxed file operations

Replace manual path validation with pkg/io.Medium for all file operations.
This delegates security (path traversal, symlink bypass) to the sandboxed
local.Medium implementation.

Changes:
- Add io.NewSandboxed() for creating sandboxed Medium instances
- Refactor MCP Service to use io.Medium instead of direct os.* calls
- Remove validatePath and resolvePathWithSymlinks functions
- Update tests to verify Medium-based behaviour

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: correct import path and workflow references

- Fix pkg/io/io.go import from core-gui to core
- Update CI workflows to use internal/cmd/updater path

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(security): address CodeRabbit review issues for path validation

- pkg/io/local: add symlink resolution and boundary-aware containment
  - Reject absolute paths in sandboxed Medium
  - Use filepath.EvalSymlinks to prevent symlink bypass attacks
  - Fix prefix check to prevent /tmp/root matching /tmp/root2

- pkg/mcp: fix resolvePath to validate and return errors
  - Changed resolvePath from (string) to (string, error)
  - Update deleteFile, renameFile, listDirectory, fileExists to handle errors
  - Changed New() to return (*Service, error) instead of *Service
  - Properly propagate option errors instead of silently discarding

- pkg/io: wrap errors with E() helper for consistent context
  - Copy() and MockMedium.Read() now use coreerr.E()

- tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines
  - Fix hardcoded /tmp in TestPath to use t.TempDir()
  - Add TestResolvePath_Bad_SymlinkTraversal test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting across all files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:59:34 +00:00

127 lines
4.2 KiB
Go
Raw Blame History

//go:generate go run github.com/host-uk/core/internal/cmd/updater/build
// Package updater provides functionality for self-updating Go applications.
// It supports updates from GitHub releases and generic HTTP endpoints.
package updater
import (
"fmt"
"net/url"
"strings"
)
// StartupCheckMode defines the updater's behavior on startup.
type StartupCheckMode int
const (
// NoCheck disables any checks on startup.
NoCheck StartupCheckMode = iota
// CheckOnStartup checks for updates on startup but does not apply them.
CheckOnStartup
// CheckAndUpdateOnStartup checks for and applies updates on startup.
CheckAndUpdateOnStartup
)
// UpdateServiceConfig holds the configuration for the UpdateService.
type UpdateServiceConfig struct {
// RepoURL is the URL to the repository for updates. It can be a GitHub
// repository URL (e.g., "https://github.com/owner/repo") or a base URL
// for a generic HTTP update server.
RepoURL string
// Channel specifies the release channel to track (e.g., "stable", "prerelease").
// This is only used for GitHub-based updates.
Channel string
// CheckOnStartup determines the update behavior when the service starts.
CheckOnStartup StartupCheckMode
// ForceSemVerPrefix toggles whether to enforce a 'v' prefix on version tags for display.
// If true, a 'v' prefix is added if missing. If false, it's removed if present.
ForceSemVerPrefix bool
// ReleaseURLFormat provides a template for constructing the download URL for a
// release asset. The placeholder {tag} will be replaced with the release tag.
ReleaseURLFormat string
}
// UpdateService provides a configurable interface for handling application updates.
// It can be configured to check for updates on startup and, if desired, apply
// them automatically. The service can handle updates from both GitHub releases
// and generic HTTP servers.
type UpdateService struct {
config UpdateServiceConfig
isGitHub bool
owner string
repo string
}
// NewUpdateService creates and configures a new UpdateService.
// It parses the repository URL to determine if it's a GitHub repository
// and extracts the owner and repo name.
func NewUpdateService(config UpdateServiceConfig) (*UpdateService, error) {
isGitHub := strings.Contains(config.RepoURL, "github.com")
var owner, repo string
var err error
if isGitHub {
owner, repo, err = ParseRepoURL(config.RepoURL)
if err != nil {
return nil, fmt.Errorf("failed to parse GitHub repo URL: %w", err)
}
}
return &UpdateService{
config: config,
isGitHub: isGitHub,
owner: owner,
repo: repo,
}, nil
}
// Start initiates the update check based on the service configuration.
// It determines whether to perform a GitHub or HTTP-based update check
// based on the RepoURL. The behavior of the check is controlled by the
// CheckOnStartup setting in the configuration.
func (s *UpdateService) Start() error {
if s.isGitHub {
return s.startGitHubCheck()
}
return s.startHTTPCheck()
}
func (s *UpdateService) startGitHubCheck() error {
switch s.config.CheckOnStartup {
case NoCheck:
return nil // Do nothing
case CheckOnStartup:
return CheckOnly(s.owner, s.repo, s.config.Channel, s.config.ForceSemVerPrefix, s.config.ReleaseURLFormat)
case CheckAndUpdateOnStartup:
return CheckForUpdates(s.owner, s.repo, s.config.Channel, s.config.ForceSemVerPrefix, s.config.ReleaseURLFormat)
default:
return fmt.Errorf("unknown startup check mode: %d", s.config.CheckOnStartup)
}
}
func (s *UpdateService) startHTTPCheck() error {
switch s.config.CheckOnStartup {
case NoCheck:
return nil // Do nothing
case CheckOnStartup:
return CheckOnlyHTTP(s.config.RepoURL)
case CheckAndUpdateOnStartup:
return CheckForUpdatesHTTP(s.config.RepoURL)
default:
return fmt.Errorf("unknown startup check mode: %d", s.config.CheckOnStartup)
}
}
// ParseRepoURL extracts the owner and repository name from a GitHub URL.
// It handles standard GitHub URL formats.
func ParseRepoURL(repoURL string) (owner string, repo string, err error) {
u, err := url.Parse(repoURL)
if err != nil {
return "", "", err
}
parts := strings.Split(strings.Trim(u.Path, "/"), "/")
if len(parts) < 2 {
return "", "", fmt.Errorf("invalid repo URL path: %s", u.Path)
}
return parts[0], parts[1], nil
}
Reference in a new issue View git blame Copy permalink