mirror of
https://github.com/siteboon/claudecodeui.git
synced 2026-05-15 17:03:20 +00:00
631695ef73
* feat(providers): surface skills in slash command menu Provider skills were hidden behind provider-specific filesystem rules. That made the backend and UI unable to offer one discovery path for skills. Add a normalized skills contract, provider service, and provider skills API. Keep provider-specific lookup rules inside adapters so routes and UI stay generic. Claude needs plugin handling because enabled plugins resolve through installed_plugins.json. Plugin folders can expose commands or skills, so Claude scans both forms. Claude plugin commands are namespaced to avoid collisions with user and project skills. Codex, Gemini, and Cursor adapters map their expected skill roots into the same contract. The slash menu now shows skills beside built-in and custom commands for discovery. The menu avoids mid-message activation, duplicate rows, loose namespace matches, and input overlap. Provider tests cover discovery locations and Claude plugin edge cases. * fix(providers): guard invalid skill command namespaces Claude plugin ids come from local settings and installed plugin metadata. Invalid ids such as empty strings or @ should not become command namespaces. Skip plugin folders when no safe plugin name can be derived. This prevents malformed slash commands like /:command from reaching the UI. Add regression coverage for empty and @ plugin ids. Keyboard selection in the slash menu should match mouse selection. Only skills are inserted into the composer because they are provider invocations. Built-in and custom commands execute directly and close the menu on success or failure. * fix(security): centralize safe frontmatter parsing Move frontmatter parsing into server/shared/frontmatter.ts so every backend caller uses the same gray-matter configuration instead of importing gray-matter directly. The goal is to keep executable JS and JSON frontmatter engines disabled for all markdown discovered from the filesystem, not only command routes. Provider skills and shared skill metadata now go through parseFrontMatter too. That closes the gap where plugin or provider markdown could regain default gray-matter behavior simply because it lived outside the original command path. Classify the new parser in backend boundaries so modules can depend on the safe shared API without reaching into legacy utility paths. * feat(providers): add comprehensive guide for provider module setup and usage
306 lines
8.6 KiB
JavaScript
306 lines
8.6 KiB
JavaScript
import { execFile } from 'child_process';
|
|
import { promises as fs } from 'fs';
|
|
import path from 'path';
|
|
import { promisify } from 'util';
|
|
|
|
import { parse as parseShellCommand } from 'shell-quote';
|
|
|
|
import { parseFrontMatter } from '../shared/frontmatter.js';
|
|
|
|
const execFileAsync = promisify(execFile);
|
|
|
|
// Configuration
|
|
const MAX_INCLUDE_DEPTH = 3;
|
|
const BASH_TIMEOUT = 30000; // 30 seconds
|
|
const BASH_COMMAND_ALLOWLIST = [
|
|
'echo',
|
|
'ls',
|
|
'pwd',
|
|
'date',
|
|
'whoami',
|
|
'git',
|
|
'npm',
|
|
'node',
|
|
'cat',
|
|
'grep',
|
|
'find',
|
|
'task-master'
|
|
];
|
|
|
|
/**
|
|
* Parse a markdown command file and extract frontmatter and content
|
|
* @param {string} content - Raw markdown content
|
|
* @returns {object} Parsed command with data (frontmatter) and content
|
|
*/
|
|
export function parseCommand(content) {
|
|
try {
|
|
const parsed = parseFrontMatter(content);
|
|
return {
|
|
data: parsed.data || {},
|
|
content: parsed.content || '',
|
|
raw: content
|
|
};
|
|
} catch (error) {
|
|
throw new Error(`Failed to parse command: ${error.message}`);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Replace argument placeholders in content
|
|
* @param {string} content - Content with placeholders
|
|
* @param {string|array} args - Arguments to replace (string or array)
|
|
* @returns {string} Content with replaced arguments
|
|
*/
|
|
export function replaceArguments(content, args) {
|
|
if (!content) return content;
|
|
|
|
let result = content;
|
|
|
|
// Convert args to array if it's a string
|
|
const argsArray = Array.isArray(args) ? args : (args ? [args] : []);
|
|
|
|
// Replace $ARGUMENTS with all arguments joined by space
|
|
const allArgs = argsArray.join(' ');
|
|
result = result.replace(/\$ARGUMENTS/g, allArgs);
|
|
|
|
// Replace positional arguments $1-$9
|
|
for (let i = 1; i <= 9; i++) {
|
|
const regex = new RegExp(`\\$${i}`, 'g');
|
|
const value = argsArray[i - 1] || '';
|
|
result = result.replace(regex, value);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* Validate file path to prevent directory traversal
|
|
* @param {string} filePath - Path to validate
|
|
* @param {string} basePath - Base directory path
|
|
* @returns {boolean} True if path is safe
|
|
*/
|
|
export function isPathSafe(filePath, basePath) {
|
|
const resolvedPath = path.resolve(basePath, filePath);
|
|
const resolvedBase = path.resolve(basePath);
|
|
const relative = path.relative(resolvedBase, resolvedPath);
|
|
return (
|
|
relative !== '' &&
|
|
!relative.startsWith('..') &&
|
|
!path.isAbsolute(relative)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Process file includes in content (@filename syntax)
|
|
* @param {string} content - Content with @filename includes
|
|
* @param {string} basePath - Base directory for resolving file paths
|
|
* @param {number} depth - Current recursion depth
|
|
* @returns {Promise<string>} Content with includes resolved
|
|
*/
|
|
export async function processFileIncludes(content, basePath, depth = 0) {
|
|
if (!content) return content;
|
|
|
|
// Prevent infinite recursion
|
|
if (depth >= MAX_INCLUDE_DEPTH) {
|
|
throw new Error(`Maximum include depth (${MAX_INCLUDE_DEPTH}) exceeded`);
|
|
}
|
|
|
|
// Match @filename patterns (at start of line or after whitespace)
|
|
const includePattern = /(?:^|\s)@([^\s]+)/gm;
|
|
const matches = [...content.matchAll(includePattern)];
|
|
|
|
if (matches.length === 0) {
|
|
return content;
|
|
}
|
|
|
|
let result = content;
|
|
|
|
for (const match of matches) {
|
|
const fullMatch = match[0];
|
|
const filename = match[1];
|
|
|
|
// Security: prevent directory traversal
|
|
if (!isPathSafe(filename, basePath)) {
|
|
throw new Error(`Invalid file path (directory traversal detected): ${filename}`);
|
|
}
|
|
|
|
try {
|
|
const filePath = path.resolve(basePath, filename);
|
|
const fileContent = await fs.readFile(filePath, 'utf-8');
|
|
|
|
// Recursively process includes in the included file
|
|
const processedContent = await processFileIncludes(fileContent, basePath, depth + 1);
|
|
|
|
// Replace the @filename with the file content
|
|
result = result.replace(fullMatch, fullMatch.startsWith(' ') ? ' ' + processedContent : processedContent);
|
|
} catch (error) {
|
|
if (error.code === 'ENOENT') {
|
|
throw new Error(`File not found: ${filename}`);
|
|
}
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* Validate that a command and its arguments are safe
|
|
* @param {string} commandString - Command string to validate
|
|
* @returns {{ allowed: boolean, command: string, args: string[], error?: string }} Validation result
|
|
*/
|
|
export function validateCommand(commandString) {
|
|
const trimmedCommand = commandString.trim();
|
|
if (!trimmedCommand) {
|
|
return { allowed: false, command: '', args: [], error: 'Empty command' };
|
|
}
|
|
|
|
// Parse the command using shell-quote to handle quotes properly
|
|
const parsed = parseShellCommand(trimmedCommand);
|
|
|
|
// Check for shell operators or control structures
|
|
const hasOperators = parsed.some(token =>
|
|
typeof token === 'object' && token.op
|
|
);
|
|
|
|
if (hasOperators) {
|
|
return {
|
|
allowed: false,
|
|
command: '',
|
|
args: [],
|
|
error: 'Shell operators (&&, ||, |, ;, etc.) are not allowed'
|
|
};
|
|
}
|
|
|
|
// Extract command and args (all should be strings after validation)
|
|
const tokens = parsed.filter(token => typeof token === 'string');
|
|
|
|
if (tokens.length === 0) {
|
|
return { allowed: false, command: '', args: [], error: 'No valid command found' };
|
|
}
|
|
|
|
const [command, ...args] = tokens;
|
|
|
|
// Extract just the command name (remove path if present)
|
|
const commandName = path.basename(command);
|
|
|
|
// Check if command exactly matches allowlist (no prefix matching)
|
|
const isAllowed = BASH_COMMAND_ALLOWLIST.includes(commandName);
|
|
|
|
if (!isAllowed) {
|
|
return {
|
|
allowed: false,
|
|
command: commandName,
|
|
args,
|
|
error: `Command '${commandName}' is not in the allowlist`
|
|
};
|
|
}
|
|
|
|
// Validate arguments don't contain dangerous metacharacters
|
|
const dangerousPattern = /[;&|`$()<>{}[\]\\]/;
|
|
for (const arg of args) {
|
|
if (dangerousPattern.test(arg)) {
|
|
return {
|
|
allowed: false,
|
|
command: commandName,
|
|
args,
|
|
error: `Argument contains dangerous characters: ${arg}`
|
|
};
|
|
}
|
|
}
|
|
|
|
return { allowed: true, command: commandName, args };
|
|
}
|
|
|
|
/**
|
|
* Backward compatibility: Check if command is allowed (deprecated)
|
|
* @deprecated Use validateCommand() instead for better security
|
|
* @param {string} command - Command to validate
|
|
* @returns {boolean} True if command is allowed
|
|
*/
|
|
export function isBashCommandAllowed(command) {
|
|
const result = validateCommand(command);
|
|
return result.allowed;
|
|
}
|
|
|
|
/**
|
|
* Sanitize bash command output
|
|
* @param {string} output - Raw command output
|
|
* @returns {string} Sanitized output
|
|
*/
|
|
export function sanitizeOutput(output) {
|
|
if (!output) return '';
|
|
|
|
// Remove control characters except \t, \n, \r
|
|
return [...output]
|
|
.filter(ch => {
|
|
const code = ch.charCodeAt(0);
|
|
return code === 9 // \t
|
|
|| code === 10 // \n
|
|
|| code === 13 // \r
|
|
|| (code >= 32 && code !== 127);
|
|
})
|
|
.join('');
|
|
}
|
|
|
|
/**
|
|
* Process bash commands in content (!command syntax)
|
|
* @param {string} content - Content with !command syntax
|
|
* @param {object} options - Options for bash execution
|
|
* @returns {Promise<string>} Content with bash commands executed and replaced
|
|
*/
|
|
export async function processBashCommands(content, options = {}) {
|
|
if (!content) return content;
|
|
|
|
const { cwd = process.cwd(), timeout = BASH_TIMEOUT } = options;
|
|
|
|
// Match !command patterns (at start of line or after whitespace)
|
|
const commandPattern = /(?:^|\n)!(.+?)(?=\n|$)/g;
|
|
const matches = [...content.matchAll(commandPattern)];
|
|
|
|
if (matches.length === 0) {
|
|
return content;
|
|
}
|
|
|
|
let result = content;
|
|
|
|
for (const match of matches) {
|
|
const fullMatch = match[0];
|
|
const commandString = match[1].trim();
|
|
|
|
// Security: validate command and parse args
|
|
const validation = validateCommand(commandString);
|
|
|
|
if (!validation.allowed) {
|
|
throw new Error(`Command not allowed: ${commandString} - ${validation.error}`);
|
|
}
|
|
|
|
try {
|
|
// Execute without shell using execFile with parsed args
|
|
const { stdout, stderr } = await execFileAsync(
|
|
validation.command,
|
|
validation.args,
|
|
{
|
|
cwd,
|
|
timeout,
|
|
maxBuffer: 1024 * 1024, // 1MB max output
|
|
shell: false, // IMPORTANT: No shell interpretation
|
|
env: { ...process.env, PATH: process.env.PATH } // Inherit PATH for finding commands
|
|
}
|
|
);
|
|
|
|
const output = sanitizeOutput(stdout || stderr || '');
|
|
|
|
// Replace the !command with the output
|
|
result = result.replace(fullMatch, fullMatch.startsWith('\n') ? '\n' + output : output);
|
|
} catch (error) {
|
|
if (error.killed) {
|
|
throw new Error(`Command timeout: ${commandString}`);
|
|
}
|
|
throw new Error(`Command failed: ${commandString} - ${error.message}`);
|
|
}
|
|
}
|
|
|
|
return result;
|
|
}
|