3365bfd5ba
* feat(mcp): add workspace root validation to prevent path traversal - Add workspaceRoot field to Service for restricting file operations - Add WithWorkspaceRoot() option for configuring the workspace directory - Add validatePath() helper to check paths are within workspace - Apply validation to all file operation handlers - Default to current working directory for security - Add comprehensive tests for path validation Closes #82 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: move CLI commands from pkg/ to internal/cmd/ - Move 18 CLI command packages to internal/cmd/ (not externally importable) - Keep 16 library packages in pkg/ (externally importable) - Update all import paths throughout codebase - Cleaner separation between CLI logic and reusable libraries CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor, php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace Libraries remaining: agentic, build, cache, cli, container, devops, errors, framework, git, i18n, io, log, mcp, process, release, repos Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(mcp): use pkg/io Medium for sandboxed file operations Replace manual path validation with pkg/io.Medium for all file operations. This delegates security (path traversal, symlink bypass) to the sandboxed local.Medium implementation. Changes: - Add io.NewSandboxed() for creating sandboxed Medium instances - Refactor MCP Service to use io.Medium instead of direct os.* calls - Remove validatePath and resolvePathWithSymlinks functions - Update tests to verify Medium-based behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: correct import path and workflow references - Fix pkg/io/io.go import from core-gui to core - Update CI workflows to use internal/cmd/updater path Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review issues for path validation - pkg/io/local: add symlink resolution and boundary-aware containment - Reject absolute paths in sandboxed Medium - Use filepath.EvalSymlinks to prevent symlink bypass attacks - Fix prefix check to prevent /tmp/root matching /tmp/root2 - pkg/mcp: fix resolvePath to validate and return errors - Changed resolvePath from (string) to (string, error) - Update deleteFile, renameFile, listDirectory, fileExists to handle errors - Changed New() to return (*Service, error) instead of *Service - Properly propagate option errors instead of silently discarding - pkg/io: wrap errors with E() helper for consistent context - Copy() and MockMedium.Read() now use coreerr.E() - tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines - Fix hardcoded /tmp in TestPath to use t.TempDir() - Add TestResolvePath_Bad_SymlinkTraversal test Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix gofmt formatting across all files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
281 lines
9.7 KiB
Go
281 lines
9.7 KiB
Go
// github_security.go implements GitHub security settings synchronization.
|
|
//
|
|
// Uses the gh api command for security settings:
|
|
// - gh api repos/{owner}/{repo}/vulnerability-alerts --method GET (check if enabled)
|
|
// - gh api repos/{owner}/{repo}/vulnerability-alerts --method PUT (enable)
|
|
// - gh api repos/{owner}/{repo}/automated-security-fixes --method PUT (enable dependabot updates)
|
|
// - gh api repos/{owner}/{repo} --method PATCH (security_and_analysis settings)
|
|
|
|
package setup
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"os/exec"
|
|
"strings"
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
)
|
|
|
|
// GitHubSecurityStatus represents the security settings status of a repository.
|
|
type GitHubSecurityStatus struct {
|
|
DependabotAlerts bool
|
|
DependabotSecurityUpdates bool
|
|
SecretScanning bool
|
|
SecretScanningPushProtection bool
|
|
}
|
|
|
|
// GitHubRepoResponse contains security-related fields from repo API.
|
|
type GitHubRepoResponse struct {
|
|
SecurityAndAnalysis *SecurityAndAnalysis `json:"security_and_analysis"`
|
|
}
|
|
|
|
// SecurityAndAnalysis contains security feature settings.
|
|
type SecurityAndAnalysis struct {
|
|
SecretScanning *SecurityFeature `json:"secret_scanning"`
|
|
SecretScanningPushProtection *SecurityFeature `json:"secret_scanning_push_protection"`
|
|
DependabotSecurityUpdates *SecurityFeature `json:"dependabot_security_updates"`
|
|
}
|
|
|
|
// SecurityFeature represents a single security feature status.
|
|
type SecurityFeature struct {
|
|
Status string `json:"status"` // "enabled" or "disabled"
|
|
}
|
|
|
|
// GetSecuritySettings fetches current security settings for a repository.
|
|
func GetSecuritySettings(repoFullName string) (*GitHubSecurityStatus, error) {
|
|
parts := strings.Split(repoFullName, "/")
|
|
if len(parts) != 2 {
|
|
return nil, fmt.Errorf("invalid repo format: %s", repoFullName)
|
|
}
|
|
|
|
status := &GitHubSecurityStatus{}
|
|
|
|
// Check Dependabot alerts (vulnerability alerts)
|
|
endpoint := fmt.Sprintf("repos/%s/%s/vulnerability-alerts", parts[0], parts[1])
|
|
cmd := exec.Command("gh", "api", endpoint, "--method", "GET")
|
|
_, err := cmd.Output()
|
|
if err == nil {
|
|
status.DependabotAlerts = true
|
|
} else if exitErr, ok := err.(*exec.ExitError); ok {
|
|
stderr := string(exitErr.Stderr)
|
|
// 404 means alerts are disabled, 204 means enabled
|
|
if strings.Contains(stderr, "403") {
|
|
return nil, cli.Err("insufficient permissions to check security settings")
|
|
}
|
|
// Other errors (like 404) mean alerts are disabled
|
|
status.DependabotAlerts = false
|
|
}
|
|
|
|
// Get repo security_and_analysis settings
|
|
endpoint = fmt.Sprintf("repos/%s/%s", parts[0], parts[1])
|
|
cmd = exec.Command("gh", "api", endpoint)
|
|
output, err := cmd.Output()
|
|
if err != nil {
|
|
if exitErr, ok := err.(*exec.ExitError); ok {
|
|
return nil, cli.Err("%s", strings.TrimSpace(string(exitErr.Stderr)))
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
var repo GitHubRepoResponse
|
|
if err := json.Unmarshal(output, &repo); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if repo.SecurityAndAnalysis != nil {
|
|
if repo.SecurityAndAnalysis.SecretScanning != nil {
|
|
status.SecretScanning = repo.SecurityAndAnalysis.SecretScanning.Status == "enabled"
|
|
}
|
|
if repo.SecurityAndAnalysis.SecretScanningPushProtection != nil {
|
|
status.SecretScanningPushProtection = repo.SecurityAndAnalysis.SecretScanningPushProtection.Status == "enabled"
|
|
}
|
|
if repo.SecurityAndAnalysis.DependabotSecurityUpdates != nil {
|
|
status.DependabotSecurityUpdates = repo.SecurityAndAnalysis.DependabotSecurityUpdates.Status == "enabled"
|
|
}
|
|
}
|
|
|
|
return status, nil
|
|
}
|
|
|
|
// EnableDependabotAlerts enables Dependabot vulnerability alerts.
|
|
func EnableDependabotAlerts(repoFullName string) error {
|
|
parts := strings.Split(repoFullName, "/")
|
|
if len(parts) != 2 {
|
|
return fmt.Errorf("invalid repo format: %s", repoFullName)
|
|
}
|
|
|
|
endpoint := fmt.Sprintf("repos/%s/%s/vulnerability-alerts", parts[0], parts[1])
|
|
cmd := exec.Command("gh", "api", endpoint, "--method", "PUT")
|
|
output, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
return cli.Err("%s", strings.TrimSpace(string(output)))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// EnableDependabotSecurityUpdates enables automated Dependabot security updates.
|
|
func EnableDependabotSecurityUpdates(repoFullName string) error {
|
|
parts := strings.Split(repoFullName, "/")
|
|
if len(parts) != 2 {
|
|
return fmt.Errorf("invalid repo format: %s", repoFullName)
|
|
}
|
|
|
|
endpoint := fmt.Sprintf("repos/%s/%s/automated-security-fixes", parts[0], parts[1])
|
|
cmd := exec.Command("gh", "api", endpoint, "--method", "PUT")
|
|
output, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
return cli.Err("%s", strings.TrimSpace(string(output)))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DisableDependabotSecurityUpdates disables automated Dependabot security updates.
|
|
func DisableDependabotSecurityUpdates(repoFullName string) error {
|
|
parts := strings.Split(repoFullName, "/")
|
|
if len(parts) != 2 {
|
|
return fmt.Errorf("invalid repo format: %s", repoFullName)
|
|
}
|
|
|
|
endpoint := fmt.Sprintf("repos/%s/%s/automated-security-fixes", parts[0], parts[1])
|
|
cmd := exec.Command("gh", "api", endpoint, "--method", "DELETE")
|
|
output, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
return cli.Err("%s", strings.TrimSpace(string(output)))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// UpdateSecurityAndAnalysis updates security_and_analysis settings.
|
|
func UpdateSecurityAndAnalysis(repoFullName string, secretScanning, pushProtection bool) error {
|
|
parts := strings.Split(repoFullName, "/")
|
|
if len(parts) != 2 {
|
|
return fmt.Errorf("invalid repo format: %s", repoFullName)
|
|
}
|
|
|
|
// Build the payload
|
|
payload := map[string]interface{}{
|
|
"security_and_analysis": map[string]interface{}{
|
|
"secret_scanning": map[string]string{
|
|
"status": boolToStatus(secretScanning),
|
|
},
|
|
"secret_scanning_push_protection": map[string]string{
|
|
"status": boolToStatus(pushProtection),
|
|
},
|
|
},
|
|
}
|
|
|
|
payloadJSON, err := json.Marshal(payload)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
endpoint := fmt.Sprintf("repos/%s/%s", parts[0], parts[1])
|
|
cmd := exec.Command("gh", "api", endpoint, "--method", "PATCH", "--input", "-")
|
|
cmd.Stdin = strings.NewReader(string(payloadJSON))
|
|
output, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
errStr := strings.TrimSpace(string(output))
|
|
// Some repos (private without GHAS) don't support these features
|
|
if strings.Contains(errStr, "secret scanning") || strings.Contains(errStr, "not available") {
|
|
return nil // Silently skip unsupported features
|
|
}
|
|
return cli.Err("%s", errStr)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func boolToStatus(b bool) string {
|
|
if b {
|
|
return "enabled"
|
|
}
|
|
return "disabled"
|
|
}
|
|
|
|
// SyncSecuritySettings synchronizes security settings for a repository.
|
|
func SyncSecuritySettings(repoFullName string, config *GitHubConfig, dryRun bool) (*ChangeSet, error) {
|
|
changes := NewChangeSet(repoFullName)
|
|
|
|
// Get current settings
|
|
existing, err := GetSecuritySettings(repoFullName)
|
|
if err != nil {
|
|
// If permission denied, note it but don't fail
|
|
if strings.Contains(err.Error(), "insufficient permissions") {
|
|
changes.Add(CategorySecurity, ChangeSkip, "all", "insufficient permissions")
|
|
return changes, nil
|
|
}
|
|
return nil, cli.Wrap(err, "failed to get security settings")
|
|
}
|
|
|
|
wantConfig := config.Security
|
|
|
|
// Check Dependabot alerts
|
|
if wantConfig.DependabotAlerts && !existing.DependabotAlerts {
|
|
changes.Add(CategorySecurity, ChangeCreate, "dependabot_alerts", "enable")
|
|
if !dryRun {
|
|
if err := EnableDependabotAlerts(repoFullName); err != nil {
|
|
return changes, cli.Wrap(err, "failed to enable dependabot alerts")
|
|
}
|
|
}
|
|
} else if !wantConfig.DependabotAlerts && existing.DependabotAlerts {
|
|
changes.Add(CategorySecurity, ChangeSkip, "dependabot_alerts", "cannot disable via API")
|
|
} else {
|
|
changes.Add(CategorySecurity, ChangeSkip, "dependabot_alerts", "up to date")
|
|
}
|
|
|
|
// Check Dependabot security updates
|
|
if wantConfig.DependabotSecurityUpdates && !existing.DependabotSecurityUpdates {
|
|
changes.Add(CategorySecurity, ChangeCreate, "dependabot_security_updates", "enable")
|
|
if !dryRun {
|
|
if err := EnableDependabotSecurityUpdates(repoFullName); err != nil {
|
|
// This might fail if alerts aren't enabled first
|
|
return changes, cli.Wrap(err, "failed to enable dependabot security updates")
|
|
}
|
|
}
|
|
} else if !wantConfig.DependabotSecurityUpdates && existing.DependabotSecurityUpdates {
|
|
changes.Add(CategorySecurity, ChangeDelete, "dependabot_security_updates", "disable")
|
|
if !dryRun {
|
|
if err := DisableDependabotSecurityUpdates(repoFullName); err != nil {
|
|
return changes, cli.Wrap(err, "failed to disable dependabot security updates")
|
|
}
|
|
}
|
|
} else {
|
|
changes.Add(CategorySecurity, ChangeSkip, "dependabot_security_updates", "up to date")
|
|
}
|
|
|
|
// Check secret scanning and push protection
|
|
needsSecurityUpdate := false
|
|
if wantConfig.SecretScanning != existing.SecretScanning {
|
|
needsSecurityUpdate = true
|
|
if wantConfig.SecretScanning {
|
|
changes.Add(CategorySecurity, ChangeCreate, "secret_scanning", "enable")
|
|
} else {
|
|
changes.Add(CategorySecurity, ChangeDelete, "secret_scanning", "disable")
|
|
}
|
|
} else {
|
|
changes.Add(CategorySecurity, ChangeSkip, "secret_scanning", "up to date")
|
|
}
|
|
|
|
if wantConfig.SecretScanningPushProtection != existing.SecretScanningPushProtection {
|
|
needsSecurityUpdate = true
|
|
if wantConfig.SecretScanningPushProtection {
|
|
changes.Add(CategorySecurity, ChangeCreate, "push_protection", "enable")
|
|
} else {
|
|
changes.Add(CategorySecurity, ChangeDelete, "push_protection", "disable")
|
|
}
|
|
} else {
|
|
changes.Add(CategorySecurity, ChangeSkip, "push_protection", "up to date")
|
|
}
|
|
|
|
// Apply security_and_analysis changes
|
|
if needsSecurityUpdate && !dryRun {
|
|
if err := UpdateSecurityAndAnalysis(repoFullName, wantConfig.SecretScanning, wantConfig.SecretScanningPushProtection); err != nil {
|
|
// Don't fail on unsupported features
|
|
if !strings.Contains(err.Error(), "not available") {
|
|
return changes, cli.Wrap(err, "failed to update security settings")
|
|
}
|
|
}
|
|
}
|
|
|
|
return changes, nil
|
|
}
|