refactor(knowledge): extract generic CUE compiler core and projection…#1
refactor(knowledge): extract generic CUE compiler core and projection…#1ljahier wants to merge 7 commits into
Conversation
… inferred domain discovery
…CLI health checks through it
876b1e6 to
97e6fde
Compare
There was a problem hiding this comment.
Needs attention — 1 issue in 1 file
The path-traversal vulnerability in sourceProvenance (runtime.go:480) flagged in the previous review remains unfixed — project.Package is joined to root and passed to WalkDir without the ..-escape guard that packageInstance in evaluator.go:629-641 implements. The rest of the new code is well-structured with good test coverage, consistent error handling, and appropriate bounds on the query API.
What this PR does
Extracts a generic CUE compiler core and transport-independent knowledge runtime with catalog, query, evaluation, and provenance APIs. Adds an optional CUE metadata contract (cue/knowledge/knowledge.cue), bounded query API with catalog validation, and named evaluation execution with JSON input overlays. The CLI health check is routed through the new runtime. All new files carry MPL-2.0 headers.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<assessment>
The path-traversal vulnerability in `sourceProvenance` (runtime.go:480) flagged in the previous review remains unfixed — `project.Package` is joined to root and passed to `WalkDir` without the `..`-escape guard that `packageInstance` in evaluator.go:629-641 implements. The rest of the new code is well-structured with good test coverage, consistent error handling, and appropriate bounds on the query API.
</assessment>
<file name="backend/internal/knowledge/runtime.go">
<issue location="backend/internal/knowledge/runtime.go:478">
`sourceProvenance` still joins `project.Package` to root without the `..`-escape check that `packageInstance` in `evaluator.go:629-641` carefully implements. A crafted `Package` value (e.g. `../../etc`) causes `WalkDir` to read arbitrary directories outside the module root. This was flagged in the previous review and remains unfixed.
</issue>
</file>
Tag @mendral-app with feedback or questions. View session
| packageDir := root | ||
| if project.Package != "" && project.Package != "." { | ||
| packageDir = filepath.Join(root, project.Package) | ||
| } |
There was a problem hiding this comment.
security (P1): sourceProvenance still joins project.Package to root without the ..-escape check that packageInstance in evaluator.go:629-641 carefully implements. A crafted Package value (e.g. ../../etc) causes WalkDir to read arbitrary directories outside the module root. This was flagged in the previous review and remains unfixed.
Suggested change
| packageDir := root | |
| if project.Package != "" && project.Package != "." { | |
| packageDir = filepath.Join(root, project.Package) | |
| } | |
| packageDir := root | |
| if project.Package != "" && project.Package != "." { | |
| if filepath.IsAbs(project.Package) { | |
| return Provenance{}, fmt.Errorf("package must be a relative path") | |
| } | |
| packageDir = filepath.Join(root, project.Package) | |
| rel, err := filepath.Rel(root, packageDir) | |
| if err != nil || rel == ".." || strings.HasPrefix(rel, ".."+string(filepath.Separator)) { | |
| return Provenance{}, fmt.Errorf("package path escapes module root") | |
| } | |
| } |
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At backend/internal/knowledge/runtime.go, line 478:
<issue>
`sourceProvenance` still joins `project.Package` to root without the `..`-escape check that `packageInstance` in `evaluator.go:629-641` carefully implements. A crafted `Package` value (e.g. `../../etc`) causes `WalkDir` to read arbitrary directories outside the module root. This was flagged in the previous review and remains unfixed.
</issue>
… seams