v0.4.4 — fs/net containment security fixes

hamr0 released this 23 May 18:22

· 59 commits to main since this release

5571ef5

Security patch. Two opt-in containment controls were bypassable by the agent they bound.

Security

fs — paths are now lexically normalized (./.. collapsed) and matched with segment boundaries, so traversal can no longer escape readScope/writeScope/deny (e.g. /app/data/../../etc/passwd), and a scope no longer leaks to a prefix sibling (/app/data → /app/data-secrets). Symlinks are not resolved (lexical only) — canonicalize upstream if needed.
net — denyPrivateIps now actually blocks IPv6 ([::1], ULA, link-local — brackets were dead-coding the whole branch), IPv4-mapped IPv6, IPv4 link-local 169.254.0.0/16 (cloud-metadata IMDS 169.254.169.254), and 0.0.0.0. Hostname-based — no DNS-rebinding defense (resolve-then-check upstream).

Tests

Suite 88 → 93 (test/security-regression.test.js), green on the full ubuntu/macos/windows × Node 20/22 matrix.

Also bundles the previously-unreleased docs restructure + docs/identity-and-the-gate.md. Full notes in CHANGELOG.

Assets 2