zhangli
2424d05b01
fix(plugin): harden plugin commands against path traversal, DoS, and agent misuse
Security fixes from PR #1596 security audit:
- Skip symlink/hardlink entries during tgz extraction (Zip Slip)
- Limit tgz entry and download size to 10 MB (OOM/DoS)
- Limit error response body read to 4 KB
- Validate MIAODA_APP_TYPE as numeric to prevent path manipulation
- Add validatePluginKey + secureModulePath to block --name path
traversal (../../.ssh etc.) for install/uninstall
Usability fix:
- Add explicit 'local command, no --app-id' notice in plugin
reference docs to prevent agent from incorrectly passing
--app-id to plugin commands (which read package.json locally)
2026-06-30 17:35:13 +08:00
..
2026-06-25 20:40:59 +08:00
2026-06-30 17:35:13 +08:00
2026-04-11 21:55:05 +08:00
2026-06-24 22:26:29 +08:00
2026-06-26 12:24:03 +08:00
2026-06-03 22:32:27 +08:00
2026-06-26 14:32:09 +08:00
2026-06-26 14:32:09 +08:00
2026-06-24 22:00:08 +08:00
2026-06-25 17:04:31 +08:00
2026-06-22 21:32:31 +08:00
2026-06-08 19:11:41 +08:00
2026-06-26 12:24:03 +08:00
2026-06-26 14:32:09 +08:00
2026-06-18 16:25:23 +08:00
2026-03-28 10:36:25 +08:00
2026-06-11 20:19:07 +08:00
2026-06-25 10:48:13 +08:00
2026-03-28 10:36:25 +08:00
2026-06-22 13:20:39 +08:00
2026-06-24 17:32:02 +08:00
2026-06-26 14:32:09 +08:00
2026-06-26 12:24:03 +08:00
2026-06-26 14:32:09 +08:00
2026-06-08 11:10:59 +08:00
2026-06-26 14:32:09 +08:00
2026-05-26 16:56:40 +08:00