core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/internal/cmd/security/cmd_secrets.go
Snider 3365bfd5ba
feat(mcp): add workspace root validation to prevent path traversal (#100) 
* feat(mcp): add workspace root validation to prevent path traversal

- Add workspaceRoot field to Service for restricting file operations
- Add WithWorkspaceRoot() option for configuring the workspace directory
- Add validatePath() helper to check paths are within workspace
- Apply validation to all file operation handlers
- Default to current working directory for security
- Add comprehensive tests for path validation

Closes #82

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: move CLI commands from pkg/ to internal/cmd/

- Move 18 CLI command packages to internal/cmd/ (not externally importable)
- Keep 16 library packages in pkg/ (externally importable)
- Update all import paths throughout codebase
- Cleaner separation between CLI logic and reusable libraries

CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor,
php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace

Libraries remaining: agentic, build, cache, cli, container, devops,
errors, framework, git, i18n, io, log, mcp, process, release, repos

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor(mcp): use pkg/io Medium for sandboxed file operations

Replace manual path validation with pkg/io.Medium for all file operations.
This delegates security (path traversal, symlink bypass) to the sandboxed
local.Medium implementation.

Changes:
- Add io.NewSandboxed() for creating sandboxed Medium instances
- Refactor MCP Service to use io.Medium instead of direct os.* calls
- Remove validatePath and resolvePathWithSymlinks functions
- Update tests to verify Medium-based behaviour

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: correct import path and workflow references

- Fix pkg/io/io.go import from core-gui to core
- Update CI workflows to use internal/cmd/updater path

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(security): address CodeRabbit review issues for path validation

- pkg/io/local: add symlink resolution and boundary-aware containment
  - Reject absolute paths in sandboxed Medium
  - Use filepath.EvalSymlinks to prevent symlink bypass attacks
  - Fix prefix check to prevent /tmp/root matching /tmp/root2

- pkg/mcp: fix resolvePath to validate and return errors
  - Changed resolvePath from (string) to (string, error)
  - Update deleteFile, renameFile, listDirectory, fileExists to handle errors
  - Changed New() to return (*Service, error) instead of *Service
  - Properly propagate option errors instead of silently discarding

- pkg/io: wrap errors with E() helper for consistent context
  - Copy() and MockMedium.Read() now use coreerr.E()

- tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines
  - Fix hardcoded /tmp in TestPath to use t.TempDir()
  - Add TestResolvePath_Bad_SymlinkTraversal test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting across all files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:59:34 +00:00

121 lines
2.8 KiB
Go
Raw Blame History

package security
import (
"encoding/json"
"fmt"
"github.com/host-uk/core/pkg/cli"
"github.com/host-uk/core/pkg/i18n"
)
func addSecretsCommand(parent *cli.Command) {
cmd := &cli.Command{
Use: "secrets",
Short: i18n.T("cmd.security.secrets.short"),
Long: i18n.T("cmd.security.secrets.long"),
RunE: func(c *cli.Command, args []string) error {
return runSecrets()
},
}
cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))
cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))
cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))
parent.AddCommand(cmd)
}
// SecretAlert represents a secret scanning alert for output.
type SecretAlert struct {
Repo string `json:"repo"`
Number int `json:"number"`
SecretType string `json:"secret_type"`
State string `json:"state"`
Resolution string `json:"resolution,omitempty"`
PushProtection bool `json:"push_protection_bypassed"`
}
func runSecrets() error {
if err := checkGH(); err != nil {
return err
}
reg, err := loadRegistry(securityRegistryPath)
if err != nil {
return err
}
repoList := getReposToCheck(reg, securityRepo)
if len(repoList) == 0 {
return cli.Err("repo not found: %s", securityRepo)
}
var allAlerts []SecretAlert
openCount := 0
for _, repo := range repoList {
repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)
alerts, err := fetchSecretScanningAlerts(repoFullName)
if err != nil {
continue
}
for _, alert := range alerts {
if alert.State != "open" {
continue
}
openCount++
secretAlert := SecretAlert{
Repo: repo.Name,
Number: alert.Number,
SecretType: alert.SecretType,
State: alert.State,
Resolution: alert.Resolution,
PushProtection: alert.PushProtection,
}
allAlerts = append(allAlerts, secretAlert)
}
}
if securityJSON {
output, err := json.MarshalIndent(allAlerts, "", " ")
if err != nil {
return cli.Wrap(err, "marshal JSON output")
}
cli.Text(string(output))
return nil
}
// Print summary
cli.Blank()
if openCount > 0 {
cli.Print("%s %s\n", cli.DimStyle.Render("Secrets:"), cli.ErrorStyle.Render(fmt.Sprintf("%d open", openCount)))
} else {
cli.Print("%s %s\n", cli.DimStyle.Render("Secrets:"), cli.SuccessStyle.Render("No exposed secrets"))
}
cli.Blank()
if len(allAlerts) == 0 {
return nil
}
// Print table
for _, alert := range allAlerts {
bypassed := ""
if alert.PushProtection {
bypassed = cli.WarningStyle.Render(" (push protection bypassed)")
}
cli.Print("%-16s %-6d %-30s%s\n",
cli.ValueStyle.Render(alert.Repo),
alert.Number,
cli.ErrorStyle.Render(alert.SecretType),
bypassed,
)
}
cli.Blank()
return nil
}
Reference in a new issue View git blame Copy permalink