3365bfd5ba
* feat(mcp): add workspace root validation to prevent path traversal - Add workspaceRoot field to Service for restricting file operations - Add WithWorkspaceRoot() option for configuring the workspace directory - Add validatePath() helper to check paths are within workspace - Apply validation to all file operation handlers - Default to current working directory for security - Add comprehensive tests for path validation Closes #82 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: move CLI commands from pkg/ to internal/cmd/ - Move 18 CLI command packages to internal/cmd/ (not externally importable) - Keep 16 library packages in pkg/ (externally importable) - Update all import paths throughout codebase - Cleaner separation between CLI logic and reusable libraries CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor, php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace Libraries remaining: agentic, build, cache, cli, container, devops, errors, framework, git, i18n, io, log, mcp, process, release, repos Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(mcp): use pkg/io Medium for sandboxed file operations Replace manual path validation with pkg/io.Medium for all file operations. This delegates security (path traversal, symlink bypass) to the sandboxed local.Medium implementation. Changes: - Add io.NewSandboxed() for creating sandboxed Medium instances - Refactor MCP Service to use io.Medium instead of direct os.* calls - Remove validatePath and resolvePathWithSymlinks functions - Update tests to verify Medium-based behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: correct import path and workflow references - Fix pkg/io/io.go import from core-gui to core - Update CI workflows to use internal/cmd/updater path Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review issues for path validation - pkg/io/local: add symlink resolution and boundary-aware containment - Reject absolute paths in sandboxed Medium - Use filepath.EvalSymlinks to prevent symlink bypass attacks - Fix prefix check to prevent /tmp/root matching /tmp/root2 - pkg/mcp: fix resolvePath to validate and return errors - Changed resolvePath from (string) to (string, error) - Update deleteFile, renameFile, listDirectory, fileExists to handle errors - Changed New() to return (*Service, error) instead of *Service - Properly propagate option errors instead of silently discarding - pkg/io: wrap errors with E() helper for consistent context - Copy() and MockMedium.Read() now use coreerr.E() - tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines - Fix hardcoded /tmp in TestPath to use t.TempDir() - Add TestResolvePath_Bad_SymlinkTraversal test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting across all files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| .github/workflows | ||
| build | ||
| docs | ||
| ui | ||
| .gitignore | ||
| cmd.go | ||
| cmd_unix.go | ||
| cmd_windows.go | ||
| generic_http.go | ||
| generic_http_test.go | ||
| github.go | ||
| github_test.go | ||
| LICENSE | ||
| Makefile | ||
| mock_github_client_test.go | ||
| package.json | ||
| README.md | ||
| service.go | ||
| service_examples_test.go | ||
| service_test.go | ||
| tests.patch | ||
| updater.go | ||
| updater_test.go | ||
Core Element Template
This repository is a template for developers to create custom HTML elements for the core web3 framework. It includes a Go backend, an Angular custom element, and a full release cycle configuration.
Getting Started
-
Clone the repository:
git clone https://github.com/your-username/core-element-template.git -
Install the dependencies:
cd core-element-template go mod tidy cd ui npm install -
Run the development server:
go run ./cmd/demo-cli serveThis will start the Go backend and serve the Angular custom element.
Building the Custom Element
To build the Angular custom element, run the following command:
cd ui
npm run build
This will create a single JavaScript file in the dist directory that you can use in any HTML page.
Usage
To use the updater library in your Go project, you can use the UpdateService.
GitHub-based Updates
package main
import (
"fmt"
"log"
"github.com/snider/updater"
)
func main() {
config := updater.UpdateServiceConfig{
RepoURL: "https://github.com/owner/repo",
Channel: "stable",
CheckOnStartup: updater.CheckAndUpdateOnStartup,
}
updateService, err := updater.NewUpdateService(config)
if err != nil {
log.Fatalf("Failed to create update service: %v", err)
}
if err := updateService.Start(); err != nil {
fmt.Printf("Update check failed: %v\n", err)
}
}
Generic HTTP Updates
For updates from a generic HTTP server, the server should provide a latest.json file at the root of the RepoURL. The JSON file should have the following structure:
{
"version": "1.2.3",
"url": "https://your-server.com/path/to/release-asset"
}
You can then configure the UpdateService as follows:
package main
import (
"fmt"
"log"
"github.com/snider/updater"
)
func main() {
config := updater.UpdateServiceConfig{
RepoURL: "https://your-server.com",
CheckOnStartup: updater.CheckAndUpdateOnStartup,
}
updateService, err := updater.NewUpdateService(config)
if err != nil {
log.Fatalf("Failed to create update service: %v", err)
}
if err := updateService.Start(); err != nil {
fmt.Printf("Update check failed: %v\n", err)
}
}
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the EUPL-1.2 License - see the LICENSE file for details.