fix(security): 🔒 fix zip slip in template extraction and add TSRC security checklist#734
Conversation
- deployCmd defaults to "." when framework=static (no dist/ at root) - Regenerate scripts/tools.json with getBuildLog action + updated descriptions - Update doc/mcp-tools.md with getBuildLog action + updated parameter descriptions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Local build already produces dist/, so pass framework=static + empty installCmd/buildCmd to skip remote build steps. Update SKILL.md deploy guide to match. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add manageApps(action="getUploadUrl") — returns pre-signed COS upload URL with uploadHeaders, cosTimestamp, and nextAction guiding AI to call deployApp - deployApp now accepts optional cosTimestamp to skip local uploadCode step - cloud mode: getUploadUrl + deployApp(cosTimestamp) available; deployApp without cosTimestamp blocked with clear error guidance - Local mode: unchanged (filePath → uploadCode → createApp) - Remove manageApps from cloudIncompatibleTools blacklist in cloud-mode.ts - Update scripts/tools.json and doc/mcp-tools.md with new action/params - Fix duplicate comments from merge conflict resolution Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…urity checklist - Replace AdmZip.extractAllTo with per-entry path validation to prevent zip slip attacks - Add security-severity-checklist.md with TSRC-style vulnerability classification - Update codebase-audit routing and classification to reference the new checklist - Enhance review-strategy with severity-labeled security checks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 996c599cf8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| import { basename, dirname, join } from "node:path"; | ||
|
|
||
| const __dirname = dirname(fileURLToPath(import.meta.url)); | ||
| const lib = await import(join(__dirname, "..", "lib", "preview-state.mjs")); |
There was a problem hiding this comment.
When any user runs cloudbase-vibe-deploy, this top-level import fails before argument handling, so even --help exits with ERR_MODULE_NOT_FOUND. I checked the repo with rg --files -g '*preview-state*' and there is no plugin/cloudbase-vibe-coding/lib/preview-state.mjs, so the newly documented deploy flow is unusable until that shared module is included or this script stops depending on it.
Useful? React with 👍 / 👎.
1 participant
Summary
downloadTemplatetemplate extractionChanges
mcp/src/tools/setup.tsAdmZip.extractAllTo()with per-entry path validation../../paths to overwrite files outside the target directoryskills/codebase-audit/references/security-severity-checklist.md(new)skills/codebase-audit/(updated)Test plan
npm run build)vitest run tools/setup)../are rejected with clear error