f47e8211fb
* feat(mcp): add workspace root validation to prevent path traversal - Add workspaceRoot field to Service for restricting file operations - Add WithWorkspaceRoot() option for configuring the workspace directory - Add validatePath() helper to check paths are within workspace - Apply validation to all file operation handlers - Default to current working directory for security - Add comprehensive tests for path validation Closes #82 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: move CLI commands from pkg/ to internal/cmd/ - Move 18 CLI command packages to internal/cmd/ (not externally importable) - Keep 16 library packages in pkg/ (externally importable) - Update all import paths throughout codebase - Cleaner separation between CLI logic and reusable libraries CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor, php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace Libraries remaining: agentic, build, cache, cli, container, devops, errors, framework, git, i18n, io, log, mcp, process, release, repos Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(mcp): use pkg/io Medium for sandboxed file operations Replace manual path validation with pkg/io.Medium for all file operations. This delegates security (path traversal, symlink bypass) to the sandboxed local.Medium implementation. Changes: - Add io.NewSandboxed() for creating sandboxed Medium instances - Refactor MCP Service to use io.Medium instead of direct os.* calls - Remove validatePath and resolvePathWithSymlinks functions - Update tests to verify Medium-based behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: correct import path and workflow references - Fix pkg/io/io.go import from core-gui to core - Update CI workflows to use internal/cmd/updater path Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review issues for path validation - pkg/io/local: add symlink resolution and boundary-aware containment - Reject absolute paths in sandboxed Medium - Use filepath.EvalSymlinks to prevent symlink bypass attacks - Fix prefix check to prevent /tmp/root matching /tmp/root2 - pkg/mcp: fix resolvePath to validate and return errors - Changed resolvePath from (string) to (string, error) - Update deleteFile, renameFile, listDirectory, fileExists to handle errors - Changed New() to return (*Service, error) instead of *Service - Properly propagate option errors instead of silently discarding - pkg/io: wrap errors with E() helper for consistent context - Copy() and MockMedium.Read() now use coreerr.E() - tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines - Fix hardcoded /tmp in TestPath to use t.TempDir() - Add TestResolvePath_Bad_SymlinkTraversal test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting across all files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
163 lines
4 KiB
Go
163 lines
4 KiB
Go
package php
|
|
|
|
import (
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
)
|
|
|
|
const (
|
|
// DefaultSSLDir is the default directory for SSL certificates.
|
|
DefaultSSLDir = ".core/ssl"
|
|
)
|
|
|
|
// SSLOptions configures SSL certificate generation.
|
|
type SSLOptions struct {
|
|
// Dir is the directory to store certificates.
|
|
// Defaults to ~/.core/ssl/
|
|
Dir string
|
|
}
|
|
|
|
// GetSSLDir returns the SSL directory, creating it if necessary.
|
|
func GetSSLDir(opts SSLOptions) (string, error) {
|
|
dir := opts.Dir
|
|
if dir == "" {
|
|
home, err := os.UserHomeDir()
|
|
if err != nil {
|
|
return "", cli.WrapVerb(err, "get", "home directory")
|
|
}
|
|
dir = filepath.Join(home, DefaultSSLDir)
|
|
}
|
|
|
|
if err := os.MkdirAll(dir, 0755); err != nil {
|
|
return "", cli.WrapVerb(err, "create", "SSL directory")
|
|
}
|
|
|
|
return dir, nil
|
|
}
|
|
|
|
// CertPaths returns the paths to the certificate and key files for a domain.
|
|
func CertPaths(domain string, opts SSLOptions) (certFile, keyFile string, err error) {
|
|
dir, err := GetSSLDir(opts)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
|
|
certFile = filepath.Join(dir, cli.Sprintf("%s.pem", domain))
|
|
keyFile = filepath.Join(dir, cli.Sprintf("%s-key.pem", domain))
|
|
|
|
return certFile, keyFile, nil
|
|
}
|
|
|
|
// CertsExist checks if SSL certificates exist for the given domain.
|
|
func CertsExist(domain string, opts SSLOptions) bool {
|
|
certFile, keyFile, err := CertPaths(domain, opts)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if _, err := os.Stat(certFile); os.IsNotExist(err) {
|
|
return false
|
|
}
|
|
|
|
if _, err := os.Stat(keyFile); os.IsNotExist(err) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// SetupSSL creates local SSL certificates using mkcert.
|
|
// It installs the local CA if not already installed and generates
|
|
// certificates for the given domain.
|
|
func SetupSSL(domain string, opts SSLOptions) error {
|
|
// Check if mkcert is installed
|
|
if _, err := exec.LookPath("mkcert"); err != nil {
|
|
return cli.Err("mkcert is not installed. Install it with: brew install mkcert (macOS) or see https://github.com/FiloSottile/mkcert")
|
|
}
|
|
|
|
dir, err := GetSSLDir(opts)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Install local CA (idempotent operation)
|
|
installCmd := exec.Command("mkcert", "-install")
|
|
if output, err := installCmd.CombinedOutput(); err != nil {
|
|
return cli.Err("failed to install mkcert CA: %v\n%s", err, output)
|
|
}
|
|
|
|
// Generate certificates
|
|
certFile := filepath.Join(dir, cli.Sprintf("%s.pem", domain))
|
|
keyFile := filepath.Join(dir, cli.Sprintf("%s-key.pem", domain))
|
|
|
|
// mkcert generates cert and key with specific naming
|
|
genCmd := exec.Command("mkcert",
|
|
"-cert-file", certFile,
|
|
"-key-file", keyFile,
|
|
domain,
|
|
"localhost",
|
|
"127.0.0.1",
|
|
"::1",
|
|
)
|
|
|
|
if output, err := genCmd.CombinedOutput(); err != nil {
|
|
return cli.Err("failed to generate certificates: %v\n%s", err, output)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SetupSSLIfNeeded checks if certificates exist and creates them if not.
|
|
func SetupSSLIfNeeded(domain string, opts SSLOptions) (certFile, keyFile string, err error) {
|
|
certFile, keyFile, err = CertPaths(domain, opts)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
|
|
if !CertsExist(domain, opts) {
|
|
if err := SetupSSL(domain, opts); err != nil {
|
|
return "", "", err
|
|
}
|
|
}
|
|
|
|
return certFile, keyFile, nil
|
|
}
|
|
|
|
// IsMkcertInstalled checks if mkcert is available in PATH.
|
|
func IsMkcertInstalled() bool {
|
|
_, err := exec.LookPath("mkcert")
|
|
return err == nil
|
|
}
|
|
|
|
// InstallMkcertCA installs the local CA for mkcert.
|
|
func InstallMkcertCA() error {
|
|
if !IsMkcertInstalled() {
|
|
return cli.Err("mkcert is not installed")
|
|
}
|
|
|
|
cmd := exec.Command("mkcert", "-install")
|
|
output, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
return cli.Err("failed to install mkcert CA: %v\n%s", err, output)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetMkcertCARoot returns the path to the mkcert CA root directory.
|
|
func GetMkcertCARoot() (string, error) {
|
|
if !IsMkcertInstalled() {
|
|
return "", cli.Err("mkcert is not installed")
|
|
}
|
|
|
|
cmd := exec.Command("mkcert", "-CAROOT")
|
|
output, err := cmd.Output()
|
|
if err != nil {
|
|
return "", cli.WrapVerb(err, "get", "mkcert CA root")
|
|
}
|
|
|
|
return filepath.Clean(string(output)), nil
|
|
}
|