core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/internal/cmd/updater/README.md
Snider f47e8211fb feat(mcp): add workspace root validation to prevent path traversal (#100) 
* feat(mcp): add workspace root validation to prevent path traversal

- Add workspaceRoot field to Service for restricting file operations
- Add WithWorkspaceRoot() option for configuring the workspace directory
- Add validatePath() helper to check paths are within workspace
- Apply validation to all file operation handlers
- Default to current working directory for security
- Add comprehensive tests for path validation

Closes #82

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: move CLI commands from pkg/ to internal/cmd/

- Move 18 CLI command packages to internal/cmd/ (not externally importable)
- Keep 16 library packages in pkg/ (externally importable)
- Update all import paths throughout codebase
- Cleaner separation between CLI logic and reusable libraries

CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor,
php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace

Libraries remaining: agentic, build, cache, cli, container, devops,
errors, framework, git, i18n, io, log, mcp, process, release, repos

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor(mcp): use pkg/io Medium for sandboxed file operations

Replace manual path validation with pkg/io.Medium for all file operations.
This delegates security (path traversal, symlink bypass) to the sandboxed
local.Medium implementation.

Changes:
- Add io.NewSandboxed() for creating sandboxed Medium instances
- Refactor MCP Service to use io.Medium instead of direct os.* calls
- Remove validatePath and resolvePathWithSymlinks functions
- Update tests to verify Medium-based behaviour

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: correct import path and workflow references

- Fix pkg/io/io.go import from core-gui to core
- Update CI workflows to use internal/cmd/updater path

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(security): address CodeRabbit review issues for path validation

- pkg/io/local: add symlink resolution and boundary-aware containment
  - Reject absolute paths in sandboxed Medium
  - Use filepath.EvalSymlinks to prevent symlink bypass attacks
  - Fix prefix check to prevent /tmp/root matching /tmp/root2

- pkg/mcp: fix resolvePath to validate and return errors
  - Changed resolvePath from (string) to (string, error)
  - Update deleteFile, renameFile, listDirectory, fileExists to handle errors
  - Changed New() to return (*Service, error) instead of *Service
  - Properly propagate option errors instead of silently discarding

- pkg/io: wrap errors with E() helper for consistent context
  - Copy() and MockMedium.Read() now use coreerr.E()

- tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines
  - Fix hardcoded /tmp in TestPath to use t.TempDir()
  - Add TestResolvePath_Bad_SymlinkTraversal test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting across all files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:59:34 +00:00

2.5 KiB
Raw Blame History

Core Element Template

This repository is a template for developers to create custom HTML elements for the core web3 framework. It includes a Go backend, an Angular custom element, and a full release cycle configuration.

Getting Started

  1. Clone the repository:

    git clone https://github.com/your-username/core-element-template.git

  2. Install the dependencies:

    cd core-element-template
go mod tidy
cd ui
npm install

  3. Run the development server:

    go run ./cmd/demo-cli serve

    This will start the Go backend and serve the Angular custom element.

Building the Custom Element

To build the Angular custom element, run the following command:

cd ui
npm run build

This will create a single JavaScript file in the dist directory that you can use in any HTML page.

Usage

To use the updater library in your Go project, you can use the UpdateService.

GitHub-based Updates

package main

import (
	"fmt"
	"log"

	"github.com/snider/updater"
)

func main() {
	config := updater.UpdateServiceConfig{
		RepoURL:        "https://github.com/owner/repo",
		Channel:        "stable",
		CheckOnStartup: updater.CheckAndUpdateOnStartup,
	}

	updateService, err := updater.NewUpdateService(config)
	if err != nil {
		log.Fatalf("Failed to create update service: %v", err)
	}

	if err := updateService.Start(); err != nil {
		fmt.Printf("Update check failed: %v\n", err)
	}
}

Generic HTTP Updates

For updates from a generic HTTP server, the server should provide a latest.json file at the root of the RepoURL. The JSON file should have the following structure:

{
  "version": "1.2.3",
  "url": "https://your-server.com/path/to/release-asset"
}

You can then configure the UpdateService as follows:

package main

import (
	"fmt"
	"log"

	"github.com/snider/updater"
)

func main() {
	config := updater.UpdateServiceConfig{
		RepoURL:        "https://your-server.com",
		CheckOnStartup: updater.CheckAndUpdateOnStartup,
	}

	updateService, err := updater.NewUpdateService(config)
	if err != nil {
		log.Fatalf("Failed to create update service: %v", err)
	}

	if err := updateService.Start(); err != nil {
		fmt.Printf("Update check failed: %v\n", err)
	}
}

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the EUPL-1.2 License - see the LICENSE file for details.