f47e8211fb
* feat(mcp): add workspace root validation to prevent path traversal - Add workspaceRoot field to Service for restricting file operations - Add WithWorkspaceRoot() option for configuring the workspace directory - Add validatePath() helper to check paths are within workspace - Apply validation to all file operation handlers - Default to current working directory for security - Add comprehensive tests for path validation Closes #82 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: move CLI commands from pkg/ to internal/cmd/ - Move 18 CLI command packages to internal/cmd/ (not externally importable) - Keep 16 library packages in pkg/ (externally importable) - Update all import paths throughout codebase - Cleaner separation between CLI logic and reusable libraries CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor, php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace Libraries remaining: agentic, build, cache, cli, container, devops, errors, framework, git, i18n, io, log, mcp, process, release, repos Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(mcp): use pkg/io Medium for sandboxed file operations Replace manual path validation with pkg/io.Medium for all file operations. This delegates security (path traversal, symlink bypass) to the sandboxed local.Medium implementation. Changes: - Add io.NewSandboxed() for creating sandboxed Medium instances - Refactor MCP Service to use io.Medium instead of direct os.* calls - Remove validatePath and resolvePathWithSymlinks functions - Update tests to verify Medium-based behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: correct import path and workflow references - Fix pkg/io/io.go import from core-gui to core - Update CI workflows to use internal/cmd/updater path Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review issues for path validation - pkg/io/local: add symlink resolution and boundary-aware containment - Reject absolute paths in sandboxed Medium - Use filepath.EvalSymlinks to prevent symlink bypass attacks - Fix prefix check to prevent /tmp/root matching /tmp/root2 - pkg/mcp: fix resolvePath to validate and return errors - Changed resolvePath from (string) to (string, error) - Update deleteFile, renameFile, listDirectory, fileExists to handle errors - Changed New() to return (*Service, error) instead of *Service - Properly propagate option errors instead of silently discarding - pkg/io: wrap errors with E() helper for consistent context - Copy() and MockMedium.Read() now use coreerr.E() - tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines - Fix hardcoded /tmp in TestPath to use t.TempDir() - Add TestResolvePath_Bad_SymlinkTraversal test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting across all files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
208 lines
5.2 KiB
Go
208 lines
5.2 KiB
Go
package dev
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"os/exec"
|
|
"sort"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
"github.com/host-uk/core/pkg/i18n"
|
|
)
|
|
|
|
// Issue-specific styles (aliases to shared)
|
|
var (
|
|
issueRepoStyle = cli.DimStyle
|
|
issueNumberStyle = cli.TitleStyle
|
|
issueTitleStyle = cli.ValueStyle
|
|
issueLabelStyle = cli.WarningStyle
|
|
issueAssigneeStyle = cli.SuccessStyle
|
|
issueAgeStyle = cli.DimStyle
|
|
)
|
|
|
|
// GitHubIssue represents a GitHub issue from the API.
|
|
type GitHubIssue struct {
|
|
Number int `json:"number"`
|
|
Title string `json:"title"`
|
|
State string `json:"state"`
|
|
CreatedAt time.Time `json:"createdAt"`
|
|
Author struct {
|
|
Login string `json:"login"`
|
|
} `json:"author"`
|
|
Assignees struct {
|
|
Nodes []struct {
|
|
Login string `json:"login"`
|
|
} `json:"nodes"`
|
|
} `json:"assignees"`
|
|
Labels struct {
|
|
Nodes []struct {
|
|
Name string `json:"name"`
|
|
} `json:"nodes"`
|
|
} `json:"labels"`
|
|
URL string `json:"url"`
|
|
|
|
// Added by us
|
|
RepoName string `json:"-"`
|
|
}
|
|
|
|
// Issues command flags
|
|
var (
|
|
issuesRegistryPath string
|
|
issuesLimit int
|
|
issuesAssignee string
|
|
)
|
|
|
|
// addIssuesCommand adds the 'issues' command to the given parent command.
|
|
func addIssuesCommand(parent *cli.Command) {
|
|
issuesCmd := &cli.Command{
|
|
Use: "issues",
|
|
Short: i18n.T("cmd.dev.issues.short"),
|
|
Long: i18n.T("cmd.dev.issues.long"),
|
|
RunE: func(cmd *cli.Command, args []string) error {
|
|
limit := issuesLimit
|
|
if limit == 0 {
|
|
limit = 10
|
|
}
|
|
return runIssues(issuesRegistryPath, limit, issuesAssignee)
|
|
},
|
|
}
|
|
|
|
issuesCmd.Flags().StringVar(&issuesRegistryPath, "registry", "", i18n.T("common.flag.registry"))
|
|
issuesCmd.Flags().IntVarP(&issuesLimit, "limit", "l", 10, i18n.T("cmd.dev.issues.flag.limit"))
|
|
issuesCmd.Flags().StringVarP(&issuesAssignee, "assignee", "a", "", i18n.T("cmd.dev.issues.flag.assignee"))
|
|
|
|
parent.AddCommand(issuesCmd)
|
|
}
|
|
|
|
func runIssues(registryPath string, limit int, assignee string) error {
|
|
// Check gh is available
|
|
if _, err := exec.LookPath("gh"); err != nil {
|
|
return errors.New(i18n.T("error.gh_not_found"))
|
|
}
|
|
|
|
// Find or use provided registry
|
|
reg, _, err := loadRegistryWithConfig(registryPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Fetch issues sequentially (avoid GitHub rate limits)
|
|
var allIssues []GitHubIssue
|
|
var fetchErrors []error
|
|
|
|
repoList := reg.List()
|
|
for i, repo := range repoList {
|
|
repoFullName := cli.Sprintf("%s/%s", reg.Org, repo.Name)
|
|
cli.Print("\033[2K\r%s %d/%d %s", dimStyle.Render(i18n.T("i18n.progress.fetch")), i+1, len(repoList), repo.Name)
|
|
|
|
issues, err := fetchIssues(repoFullName, repo.Name, limit, assignee)
|
|
if err != nil {
|
|
fetchErrors = append(fetchErrors, cli.Wrap(err, repo.Name))
|
|
continue
|
|
}
|
|
allIssues = append(allIssues, issues...)
|
|
}
|
|
cli.Print("\033[2K\r") // Clear progress line
|
|
|
|
// Sort by created date (newest first)
|
|
sort.Slice(allIssues, func(i, j int) bool {
|
|
return allIssues[i].CreatedAt.After(allIssues[j].CreatedAt)
|
|
})
|
|
|
|
// Print issues
|
|
if len(allIssues) == 0 {
|
|
cli.Text(i18n.T("cmd.dev.issues.no_issues"))
|
|
return nil
|
|
}
|
|
|
|
cli.Print("\n%s\n\n", i18n.T("cmd.dev.issues.open_issues", map[string]interface{}{"Count": len(allIssues)}))
|
|
|
|
for _, issue := range allIssues {
|
|
printIssue(issue)
|
|
}
|
|
|
|
// Print any errors
|
|
if len(fetchErrors) > 0 {
|
|
cli.Blank()
|
|
for _, err := range fetchErrors {
|
|
cli.Print("%s %s\n", errorStyle.Render(i18n.Label("error")), err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func fetchIssues(repoFullName, repoName string, limit int, assignee string) ([]GitHubIssue, error) {
|
|
args := []string{
|
|
"issue", "list",
|
|
"--repo", repoFullName,
|
|
"--state", "open",
|
|
"--limit", cli.Sprintf("%d", limit),
|
|
"--json", "number,title,state,createdAt,author,assignees,labels,url",
|
|
}
|
|
|
|
if assignee != "" {
|
|
args = append(args, "--assignee", assignee)
|
|
}
|
|
|
|
cmd := exec.Command("gh", args...)
|
|
output, err := cmd.Output()
|
|
if err != nil {
|
|
// Check if it's just "no issues" vs actual error
|
|
if exitErr, ok := err.(*exec.ExitError); ok {
|
|
stderr := string(exitErr.Stderr)
|
|
if strings.Contains(stderr, "no issues") || strings.Contains(stderr, "Could not resolve") {
|
|
return nil, nil
|
|
}
|
|
return nil, cli.Err("%s", stderr)
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
var issues []GitHubIssue
|
|
if err := json.Unmarshal(output, &issues); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Tag with repo name
|
|
for i := range issues {
|
|
issues[i].RepoName = repoName
|
|
}
|
|
|
|
return issues, nil
|
|
}
|
|
|
|
func printIssue(issue GitHubIssue) {
|
|
// #42 [core-bio] Fix avatar upload
|
|
num := issueNumberStyle.Render(cli.Sprintf("#%d", issue.Number))
|
|
repo := issueRepoStyle.Render(cli.Sprintf("[%s]", issue.RepoName))
|
|
title := issueTitleStyle.Render(cli.Truncate(issue.Title, 60))
|
|
|
|
line := cli.Sprintf(" %s %s %s", num, repo, title)
|
|
|
|
// Add labels if any
|
|
if len(issue.Labels.Nodes) > 0 {
|
|
var labels []string
|
|
for _, l := range issue.Labels.Nodes {
|
|
labels = append(labels, l.Name)
|
|
}
|
|
line += " " + issueLabelStyle.Render("["+strings.Join(labels, ", ")+"]")
|
|
}
|
|
|
|
// Add assignee if any
|
|
if len(issue.Assignees.Nodes) > 0 {
|
|
var assignees []string
|
|
for _, a := range issue.Assignees.Nodes {
|
|
assignees = append(assignees, "@"+a.Login)
|
|
}
|
|
line += " " + issueAssigneeStyle.Render(strings.Join(assignees, ", "))
|
|
}
|
|
|
|
// Add age
|
|
age := cli.FormatAge(issue.CreatedAt)
|
|
line += " " + issueAgeStyle.Render(age)
|
|
|
|
cli.Text(line)
|
|
}
|