core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/pkg/io/local/client.go
Snider f47e8211fb feat(mcp): add workspace root validation to prevent path traversal (#100) 
* feat(mcp): add workspace root validation to prevent path traversal

- Add workspaceRoot field to Service for restricting file operations
- Add WithWorkspaceRoot() option for configuring the workspace directory
- Add validatePath() helper to check paths are within workspace
- Apply validation to all file operation handlers
- Default to current working directory for security
- Add comprehensive tests for path validation

Closes #82

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: move CLI commands from pkg/ to internal/cmd/

- Move 18 CLI command packages to internal/cmd/ (not externally importable)
- Keep 16 library packages in pkg/ (externally importable)
- Update all import paths throughout codebase
- Cleaner separation between CLI logic and reusable libraries

CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor,
php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace

Libraries remaining: agentic, build, cache, cli, container, devops,
errors, framework, git, i18n, io, log, mcp, process, release, repos

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor(mcp): use pkg/io Medium for sandboxed file operations

Replace manual path validation with pkg/io.Medium for all file operations.
This delegates security (path traversal, symlink bypass) to the sandboxed
local.Medium implementation.

Changes:
- Add io.NewSandboxed() for creating sandboxed Medium instances
- Refactor MCP Service to use io.Medium instead of direct os.* calls
- Remove validatePath and resolvePathWithSymlinks functions
- Update tests to verify Medium-based behaviour

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: correct import path and workflow references

- Fix pkg/io/io.go import from core-gui to core
- Update CI workflows to use internal/cmd/updater path

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(security): address CodeRabbit review issues for path validation

- pkg/io/local: add symlink resolution and boundary-aware containment
  - Reject absolute paths in sandboxed Medium
  - Use filepath.EvalSymlinks to prevent symlink bypass attacks
  - Fix prefix check to prevent /tmp/root matching /tmp/root2

- pkg/mcp: fix resolvePath to validate and return errors
  - Changed resolvePath from (string) to (string, error)
  - Update deleteFile, renameFile, listDirectory, fileExists to handle errors
  - Changed New() to return (*Service, error) instead of *Service
  - Properly propagate option errors instead of silently discarding

- pkg/io: wrap errors with E() helper for consistent context
  - Copy() and MockMedium.Read() now use coreerr.E()

- tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines
  - Fix hardcoded /tmp in TestPath to use t.TempDir()
  - Add TestResolvePath_Bad_SymlinkTraversal test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting across all files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:59:34 +00:00

169 lines
4.8 KiB
Go
Raw Blame History

// Package local provides a local filesystem implementation of the io.Medium interface.
package local
import (
"errors"
"os"
"path/filepath"
"strings"
)
// Medium is a local filesystem storage backend.
type Medium struct {
root string
}
// New creates a new local Medium with the specified root directory.
// The root directory will be created if it doesn't exist.
func New(root string) (*Medium, error) {
// Ensure root is an absolute path
absRoot, err := filepath.Abs(root)
if err != nil {
return nil, err
}
// Create root directory if it doesn't exist
if err := os.MkdirAll(absRoot, 0755); err != nil {
return nil, err
}
return &Medium{root: absRoot}, nil
}
// path sanitizes and joins the relative path with the root directory.
// Returns an error if a path traversal attempt is detected.
// Uses filepath.EvalSymlinks to prevent symlink-based bypass attacks.
func (m *Medium) path(relativePath string) (string, error) {
// Clean the path to remove any .. or . components
cleanPath := filepath.Clean(relativePath)
// Check for path traversal attempts in the raw path
if strings.HasPrefix(cleanPath, "..") || strings.Contains(cleanPath, string(filepath.Separator)+"..") {
return "", errors.New("path traversal attempt detected")
}
// Reject absolute paths - they bypass the sandbox
if filepath.IsAbs(cleanPath) {
return "", errors.New("path traversal attempt detected")
}
fullPath := filepath.Join(m.root, cleanPath)
// Verify the resulting path is still within root (boundary-aware check)
// Must use separator to prevent /tmp/root matching /tmp/root2
rootWithSep := m.root
if !strings.HasSuffix(rootWithSep, string(filepath.Separator)) {
rootWithSep += string(filepath.Separator)
}
if fullPath != m.root && !strings.HasPrefix(fullPath, rootWithSep) {
return "", errors.New("path traversal attempt detected")
}
// Resolve symlinks to prevent bypass attacks
// We need to resolve both the root and full path to handle symlinked roots
resolvedRoot, err := filepath.EvalSymlinks(m.root)
if err != nil {
return "", err
}
// Build boundary-aware prefix for resolved root
resolvedRootWithSep := resolvedRoot
if !strings.HasSuffix(resolvedRootWithSep, string(filepath.Separator)) {
resolvedRootWithSep += string(filepath.Separator)
}
// For the full path, resolve as much as exists
// Use Lstat first to check if the path exists
if _, err := os.Lstat(fullPath); err == nil {
resolvedPath, err := filepath.EvalSymlinks(fullPath)
if err != nil {
return "", err
}
// Verify resolved path is still within resolved root (boundary-aware)
if resolvedPath != resolvedRoot && !strings.HasPrefix(resolvedPath, resolvedRootWithSep) {
return "", errors.New("path traversal attempt detected via symlink")
}
return resolvedPath, nil
}
// Path doesn't exist yet - verify parent directory
parentDir := filepath.Dir(fullPath)
if _, err := os.Lstat(parentDir); err == nil {
resolvedParent, err := filepath.EvalSymlinks(parentDir)
if err != nil {
return "", err
}
if resolvedParent != resolvedRoot && !strings.HasPrefix(resolvedParent, resolvedRootWithSep) {
return "", errors.New("path traversal attempt detected via symlink")
}
}
return fullPath, nil
}
// Read retrieves the content of a file as a string.
func (m *Medium) Read(relativePath string) (string, error) {
fullPath, err := m.path(relativePath)
if err != nil {
return "", err
}
content, err := os.ReadFile(fullPath)
if err != nil {
return "", err
}
return string(content), nil
}
// Write saves the given content to a file, overwriting it if it exists.
// Parent directories are created automatically.
func (m *Medium) Write(relativePath, content string) error {
fullPath, err := m.path(relativePath)
if err != nil {
return err
}
// Ensure parent directory exists
parentDir := filepath.Dir(fullPath)
if err := os.MkdirAll(parentDir, 0755); err != nil {
return err
}
return os.WriteFile(fullPath, []byte(content), 0644)
}
// EnsureDir makes sure a directory exists, creating it if necessary.
func (m *Medium) EnsureDir(relativePath string) error {
fullPath, err := m.path(relativePath)
if err != nil {
return err
}
return os.MkdirAll(fullPath, 0755)
}
// IsFile checks if a path exists and is a regular file.
func (m *Medium) IsFile(relativePath string) bool {
fullPath, err := m.path(relativePath)
if err != nil {
return false
}
info, err := os.Stat(fullPath)
if err != nil {
return false
}
return info.Mode().IsRegular()
}
// FileGet is a convenience function that reads a file from the medium.
func (m *Medium) FileGet(relativePath string) (string, error) {
return m.Read(relativePath)
}
// FileSet is a convenience function that writes a file to the medium.
func (m *Medium) FileSet(relativePath, content string) error {
return m.Write(relativePath, content)
}
Reference in a new issue View git blame Copy permalink