3365bfd5ba
* feat(mcp): add workspace root validation to prevent path traversal - Add workspaceRoot field to Service for restricting file operations - Add WithWorkspaceRoot() option for configuring the workspace directory - Add validatePath() helper to check paths are within workspace - Apply validation to all file operation handlers - Default to current working directory for security - Add comprehensive tests for path validation Closes #82 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: move CLI commands from pkg/ to internal/cmd/ - Move 18 CLI command packages to internal/cmd/ (not externally importable) - Keep 16 library packages in pkg/ (externally importable) - Update all import paths throughout codebase - Cleaner separation between CLI logic and reusable libraries CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor, php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace Libraries remaining: agentic, build, cache, cli, container, devops, errors, framework, git, i18n, io, log, mcp, process, release, repos Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(mcp): use pkg/io Medium for sandboxed file operations Replace manual path validation with pkg/io.Medium for all file operations. This delegates security (path traversal, symlink bypass) to the sandboxed local.Medium implementation. Changes: - Add io.NewSandboxed() for creating sandboxed Medium instances - Refactor MCP Service to use io.Medium instead of direct os.* calls - Remove validatePath and resolvePathWithSymlinks functions - Update tests to verify Medium-based behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: correct import path and workflow references - Fix pkg/io/io.go import from core-gui to core - Update CI workflows to use internal/cmd/updater path Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review issues for path validation - pkg/io/local: add symlink resolution and boundary-aware containment - Reject absolute paths in sandboxed Medium - Use filepath.EvalSymlinks to prevent symlink bypass attacks - Fix prefix check to prevent /tmp/root matching /tmp/root2 - pkg/mcp: fix resolvePath to validate and return errors - Changed resolvePath from (string) to (string, error) - Update deleteFile, renameFile, listDirectory, fileExists to handle errors - Changed New() to return (*Service, error) instead of *Service - Properly propagate option errors instead of silently discarding - pkg/io: wrap errors with E() helper for consistent context - Copy() and MockMedium.Read() now use coreerr.E() - tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines - Fix hardcoded /tmp in TestPath to use t.TempDir() - Add TestResolvePath_Bad_SymlinkTraversal test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting across all files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
244 lines
6.1 KiB
Go
244 lines
6.1 KiB
Go
package security
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os/exec"
|
|
"strings"
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
"github.com/host-uk/core/pkg/i18n"
|
|
"github.com/host-uk/core/pkg/repos"
|
|
)
|
|
|
|
var (
|
|
// Command flags
|
|
securityRegistryPath string
|
|
securityRepo string
|
|
securitySeverity string
|
|
securityJSON bool
|
|
)
|
|
|
|
// AddSecurityCommands adds the 'security' command to the root.
|
|
func AddSecurityCommands(root *cli.Command) {
|
|
secCmd := &cli.Command{
|
|
Use: "security",
|
|
Short: i18n.T("cmd.security.short"),
|
|
Long: i18n.T("cmd.security.long"),
|
|
}
|
|
|
|
addAlertsCommand(secCmd)
|
|
addDepsCommand(secCmd)
|
|
addScanCommand(secCmd)
|
|
addSecretsCommand(secCmd)
|
|
|
|
root.AddCommand(secCmd)
|
|
}
|
|
|
|
// DependabotAlert represents a Dependabot vulnerability alert.
|
|
type DependabotAlert struct {
|
|
Number int `json:"number"`
|
|
State string `json:"state"`
|
|
Advisory struct {
|
|
Severity string `json:"severity"`
|
|
CVEID string `json:"cve_id"`
|
|
Summary string `json:"summary"`
|
|
Description string `json:"description"`
|
|
} `json:"security_advisory"`
|
|
Dependency struct {
|
|
Package struct {
|
|
Name string `json:"name"`
|
|
Ecosystem string `json:"ecosystem"`
|
|
} `json:"package"`
|
|
ManifestPath string `json:"manifest_path"`
|
|
} `json:"dependency"`
|
|
SecurityVulnerability struct {
|
|
Package struct {
|
|
Name string `json:"name"`
|
|
Ecosystem string `json:"ecosystem"`
|
|
} `json:"package"`
|
|
FirstPatchedVersion struct {
|
|
Identifier string `json:"identifier"`
|
|
} `json:"first_patched_version"`
|
|
VulnerableVersionRange string `json:"vulnerable_version_range"`
|
|
} `json:"security_vulnerability"`
|
|
}
|
|
|
|
// CodeScanningAlert represents a code scanning alert.
|
|
type CodeScanningAlert struct {
|
|
Number int `json:"number"`
|
|
State string `json:"state"`
|
|
DismissedReason string `json:"dismissed_reason"`
|
|
Rule struct {
|
|
ID string `json:"id"`
|
|
Severity string `json:"severity"`
|
|
Description string `json:"description"`
|
|
Tags []string `json:"tags"`
|
|
} `json:"rule"`
|
|
Tool struct {
|
|
Name string `json:"name"`
|
|
Version string `json:"version"`
|
|
} `json:"tool"`
|
|
MostRecentInstance struct {
|
|
Location struct {
|
|
Path string `json:"path"`
|
|
StartLine int `json:"start_line"`
|
|
EndLine int `json:"end_line"`
|
|
} `json:"location"`
|
|
Message struct {
|
|
Text string `json:"text"`
|
|
} `json:"message"`
|
|
} `json:"most_recent_instance"`
|
|
}
|
|
|
|
// SecretScanningAlert represents a secret scanning alert.
|
|
type SecretScanningAlert struct {
|
|
Number int `json:"number"`
|
|
State string `json:"state"`
|
|
SecretType string `json:"secret_type"`
|
|
Secret string `json:"secret"`
|
|
PushProtection bool `json:"push_protection_bypassed"`
|
|
Resolution string `json:"resolution"`
|
|
}
|
|
|
|
// loadRegistry loads the repository registry.
|
|
func loadRegistry(registryPath string) (*repos.Registry, error) {
|
|
if registryPath != "" {
|
|
reg, err := repos.LoadRegistry(registryPath)
|
|
if err != nil {
|
|
return nil, cli.Wrap(err, "load registry")
|
|
}
|
|
return reg, nil
|
|
}
|
|
|
|
path, err := repos.FindRegistry()
|
|
if err != nil {
|
|
return nil, cli.Wrap(err, "find registry")
|
|
}
|
|
reg, err := repos.LoadRegistry(path)
|
|
if err != nil {
|
|
return nil, cli.Wrap(err, "load registry")
|
|
}
|
|
return reg, nil
|
|
}
|
|
|
|
// checkGH verifies gh CLI is available.
|
|
func checkGH() error {
|
|
if _, err := exec.LookPath("gh"); err != nil {
|
|
return errors.New(i18n.T("error.gh_not_found"))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// runGHAPI runs a gh api command and returns the output.
|
|
func runGHAPI(endpoint string) ([]byte, error) {
|
|
cmd := exec.Command("gh", "api", endpoint, "--paginate")
|
|
output, err := cmd.Output()
|
|
if err != nil {
|
|
if exitErr, ok := err.(*exec.ExitError); ok {
|
|
stderr := string(exitErr.Stderr)
|
|
// Handle common errors gracefully
|
|
if strings.Contains(stderr, "404") || strings.Contains(stderr, "Not Found") {
|
|
return []byte("[]"), nil // Return empty array for not found
|
|
}
|
|
if strings.Contains(stderr, "403") {
|
|
return nil, fmt.Errorf("access denied (check token permissions)")
|
|
}
|
|
}
|
|
return nil, cli.Wrap(err, "run gh api")
|
|
}
|
|
return output, nil
|
|
}
|
|
|
|
// severityStyle returns the appropriate style for a severity level.
|
|
func severityStyle(severity string) *cli.AnsiStyle {
|
|
switch strings.ToLower(severity) {
|
|
case "critical":
|
|
return cli.ErrorStyle
|
|
case "high":
|
|
return cli.WarningStyle
|
|
case "medium":
|
|
return cli.ValueStyle
|
|
default:
|
|
return cli.DimStyle
|
|
}
|
|
}
|
|
|
|
// filterBySeverity checks if the severity matches the filter.
|
|
func filterBySeverity(severity, filter string) bool {
|
|
if filter == "" {
|
|
return true
|
|
}
|
|
|
|
severities := strings.Split(strings.ToLower(filter), ",")
|
|
sev := strings.ToLower(severity)
|
|
|
|
for _, s := range severities {
|
|
if strings.TrimSpace(s) == sev {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// getReposToCheck returns the list of repos to check based on flags.
|
|
func getReposToCheck(reg *repos.Registry, repoFilter string) []*repos.Repo {
|
|
if repoFilter != "" {
|
|
if repo, ok := reg.Get(repoFilter); ok {
|
|
return []*repos.Repo{repo}
|
|
}
|
|
return nil
|
|
}
|
|
return reg.List()
|
|
}
|
|
|
|
// AlertSummary holds aggregated alert counts.
|
|
type AlertSummary struct {
|
|
Critical int
|
|
High int
|
|
Medium int
|
|
Low int
|
|
Unknown int
|
|
Total int
|
|
}
|
|
|
|
// Add increments summary counters for the provided severity.
|
|
func (s *AlertSummary) Add(severity string) {
|
|
s.Total++
|
|
switch strings.ToLower(severity) {
|
|
case "critical":
|
|
s.Critical++
|
|
case "high":
|
|
s.High++
|
|
case "medium":
|
|
s.Medium++
|
|
case "low":
|
|
s.Low++
|
|
default:
|
|
s.Unknown++
|
|
}
|
|
}
|
|
|
|
// String renders a human-readable summary of alert counts.
|
|
func (s *AlertSummary) String() string {
|
|
parts := []string{}
|
|
if s.Critical > 0 {
|
|
parts = append(parts, cli.ErrorStyle.Render(fmt.Sprintf("%d critical", s.Critical)))
|
|
}
|
|
if s.High > 0 {
|
|
parts = append(parts, cli.WarningStyle.Render(fmt.Sprintf("%d high", s.High)))
|
|
}
|
|
if s.Medium > 0 {
|
|
parts = append(parts, cli.ValueStyle.Render(fmt.Sprintf("%d medium", s.Medium)))
|
|
}
|
|
if s.Low > 0 {
|
|
parts = append(parts, cli.DimStyle.Render(fmt.Sprintf("%d low", s.Low)))
|
|
}
|
|
if s.Unknown > 0 {
|
|
parts = append(parts, cli.DimStyle.Render(fmt.Sprintf("%d unknown", s.Unknown)))
|
|
}
|
|
if len(parts) == 0 {
|
|
return cli.SuccessStyle.Render("No alerts")
|
|
}
|
|
return strings.Join(parts, " | ")
|
|
}
|