LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-03-30 01:06:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): unify root-bound write hardening

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 17:11:04 +00:00
parent be3a62c5e0
commit 104d32bb64
13 changed files with 427 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/plugins/install.ts
View File

@@ -9,6 +9,7 @@ import {
} from "../infra/install-mode-options.js";
import { installPackageDir } from "../infra/install-package-dir.js";
import {
assertCanonicalPathWithinBase,
resolveSafeInstallDir,
safeDirName,
unscopedPackageName,
@@ -234,6 +235,15 @@ async function installPluginFromPackageDir(params: {
return { ok: false, error: targetDirResult.error };
}
const targetDir = targetDirResult.path;
try {
await assertCanonicalPathWithinBase({
baseDir: extensionsDir,
candidatePath: targetDir,
boundaryLabel: "extensions directory",
});
} catch (err) {
return { ok: false, error: err instanceof Error ? err.message : String(err) };
}
if (mode === "install" && (await fileExists(targetDir))) {
return {