mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-19 11:20:48 +08:00
5994d3fac1
Critical: project-local install-state (e.g. a cloned repo's .cursor/ecc-install-state.json) is attacker-controllable, and repair/uninstall/auto-update replayed its operations with destinationPath validated only for non-emptiness — confirmed arbitrary file write/delete and chained RCE (write ~/.bashrc, .git/hooks, or run a planted install-apply.js). - New scripts/lib/path-safety.js: assertWithinTrustedRoot() canonicalizes (incl. symlink escape via nearest-existing-ancestor realpath) and fails closed unless the destination is within the adapter-derived trusted root. - install-lifecycle.js: gate executeRepairOperation + executeUninstallOperation + the install-state removal against record.targetRoot (the adapter-resolved root, NOT the attacker-supplied state.target.root). - auto-update.js: validateRepoRoot now requires package.json name to be an official ECC package, so a planted nested repo can't drive auto-update into executing attacker code. - 7 containment regression tests. Existing install-lifecycle/repair/uninstall/auto-update suites still green (legit destinations are within the root).