f47e8211fb
* feat(mcp): add workspace root validation to prevent path traversal - Add workspaceRoot field to Service for restricting file operations - Add WithWorkspaceRoot() option for configuring the workspace directory - Add validatePath() helper to check paths are within workspace - Apply validation to all file operation handlers - Default to current working directory for security - Add comprehensive tests for path validation Closes #82 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: move CLI commands from pkg/ to internal/cmd/ - Move 18 CLI command packages to internal/cmd/ (not externally importable) - Keep 16 library packages in pkg/ (externally importable) - Update all import paths throughout codebase - Cleaner separation between CLI logic and reusable libraries CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor, php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace Libraries remaining: agentic, build, cache, cli, container, devops, errors, framework, git, i18n, io, log, mcp, process, release, repos Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(mcp): use pkg/io Medium for sandboxed file operations Replace manual path validation with pkg/io.Medium for all file operations. This delegates security (path traversal, symlink bypass) to the sandboxed local.Medium implementation. Changes: - Add io.NewSandboxed() for creating sandboxed Medium instances - Refactor MCP Service to use io.Medium instead of direct os.* calls - Remove validatePath and resolvePathWithSymlinks functions - Update tests to verify Medium-based behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: correct import path and workflow references - Fix pkg/io/io.go import from core-gui to core - Update CI workflows to use internal/cmd/updater path Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review issues for path validation - pkg/io/local: add symlink resolution and boundary-aware containment - Reject absolute paths in sandboxed Medium - Use filepath.EvalSymlinks to prevent symlink bypass attacks - Fix prefix check to prevent /tmp/root matching /tmp/root2 - pkg/mcp: fix resolvePath to validate and return errors - Changed resolvePath from (string) to (string, error) - Update deleteFile, renameFile, listDirectory, fileExists to handle errors - Changed New() to return (*Service, error) instead of *Service - Properly propagate option errors instead of silently discarding - pkg/io: wrap errors with E() helper for consistent context - Copy() and MockMedium.Read() now use coreerr.E() - tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines - Fix hardcoded /tmp in TestPath to use t.TempDir() - Add TestResolvePath_Bad_SymlinkTraversal test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting across all files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
142 lines
3.3 KiB
Go
142 lines
3.3 KiB
Go
package security
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
"github.com/host-uk/core/pkg/i18n"
|
|
)
|
|
|
|
var (
|
|
scanTool string
|
|
)
|
|
|
|
func addScanCommand(parent *cli.Command) {
|
|
cmd := &cli.Command{
|
|
Use: "scan",
|
|
Short: i18n.T("cmd.security.scan.short"),
|
|
Long: i18n.T("cmd.security.scan.long"),
|
|
RunE: func(c *cli.Command, args []string) error {
|
|
return runScan()
|
|
},
|
|
}
|
|
|
|
cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))
|
|
cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))
|
|
cmd.Flags().StringVar(&securitySeverity, "severity", "", i18n.T("cmd.security.flag.severity"))
|
|
cmd.Flags().StringVar(&scanTool, "tool", "", i18n.T("cmd.security.scan.flag.tool"))
|
|
cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))
|
|
|
|
parent.AddCommand(cmd)
|
|
}
|
|
|
|
// ScanAlert represents a code scanning alert for output.
|
|
type ScanAlert struct {
|
|
Repo string `json:"repo"`
|
|
Severity string `json:"severity"`
|
|
RuleID string `json:"rule_id"`
|
|
Tool string `json:"tool"`
|
|
Path string `json:"path"`
|
|
Line int `json:"line"`
|
|
Description string `json:"description"`
|
|
Message string `json:"message"`
|
|
}
|
|
|
|
func runScan() error {
|
|
if err := checkGH(); err != nil {
|
|
return err
|
|
}
|
|
|
|
reg, err := loadRegistry(securityRegistryPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
repoList := getReposToCheck(reg, securityRepo)
|
|
if len(repoList) == 0 {
|
|
return cli.Err("repo not found: %s", securityRepo)
|
|
}
|
|
|
|
var allAlerts []ScanAlert
|
|
summary := &AlertSummary{}
|
|
|
|
for _, repo := range repoList {
|
|
repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)
|
|
|
|
alerts, err := fetchCodeScanningAlerts(repoFullName)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
for _, alert := range alerts {
|
|
if alert.State != "open" {
|
|
continue
|
|
}
|
|
|
|
// Filter by tool if specified
|
|
if scanTool != "" && alert.Tool.Name != scanTool {
|
|
continue
|
|
}
|
|
|
|
severity := alert.Rule.Severity
|
|
if severity == "" {
|
|
severity = "medium" // Default if not specified
|
|
}
|
|
|
|
if !filterBySeverity(severity, securitySeverity) {
|
|
continue
|
|
}
|
|
|
|
summary.Add(severity)
|
|
|
|
scanAlert := ScanAlert{
|
|
Repo: repo.Name,
|
|
Severity: severity,
|
|
RuleID: alert.Rule.ID,
|
|
Tool: alert.Tool.Name,
|
|
Path: alert.MostRecentInstance.Location.Path,
|
|
Line: alert.MostRecentInstance.Location.StartLine,
|
|
Description: alert.Rule.Description,
|
|
Message: alert.MostRecentInstance.Message.Text,
|
|
}
|
|
allAlerts = append(allAlerts, scanAlert)
|
|
}
|
|
}
|
|
|
|
if securityJSON {
|
|
output, err := json.MarshalIndent(allAlerts, "", " ")
|
|
if err != nil {
|
|
return cli.Wrap(err, "marshal JSON output")
|
|
}
|
|
cli.Text(string(output))
|
|
return nil
|
|
}
|
|
|
|
// Print summary
|
|
cli.Blank()
|
|
cli.Print("%s %s\n", cli.DimStyle.Render("Code Scanning:"), summary.String())
|
|
cli.Blank()
|
|
|
|
if len(allAlerts) == 0 {
|
|
return nil
|
|
}
|
|
|
|
// Print table
|
|
for _, alert := range allAlerts {
|
|
sevStyle := severityStyle(alert.Severity)
|
|
|
|
location := fmt.Sprintf("%s:%d", alert.Path, alert.Line)
|
|
|
|
cli.Print("%-16s %s %-20s %-40s %s\n",
|
|
cli.ValueStyle.Render(alert.Repo),
|
|
sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),
|
|
alert.RuleID,
|
|
location,
|
|
cli.DimStyle.Render(alert.Tool),
|
|
)
|
|
}
|
|
cli.Blank()
|
|
|
|
return nil
|
|
}
|