@decocms/runtime
A TypeScript framework for building MCP (Model Context Protocol) servers with first-class support for tools, prompts, resources, OAuth authentication, and event-driven architectures.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Internal monorepo package under @decocms org; missing metadata is expected, not a spam/malware indicator. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): All 18 hits are in test files asserting path traversal is blocked — not credential access. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into request bindings is standard edge-runtime pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cloudflare/workers-types | AI (phantom-deps): Type-only package used by convention in Cloudflare Workers projects; not directly imported. | ai |
Versions (showing 35 of 35)
| Version | Deps | Published |
|---|---|---|
| 1.6.3 | 7 / 4 | |
| 1.6.2 | 7 / 4 | |
| 1.6.1 | 7 / 4 | |
| 1.6.0 | 7 / 4 | |
| 1.5.0 | 7 / 4 | |
| 1.4.0 | 7 / 4 | |
| 1.3.1 | 7 / 4 | |
| 1.3.0 | 7 / 4 | |
| 1.2.15 | 7 / 4 | |
| 1.2.14 | 7 / 4 | |
| 1.2.13 | 7 / 4 | |
| 1.2.12 | 7 / 3 | |
| 1.2.11 | 7 / 3 | |
| 1.2.10 | 7 / 3 | |
| 1.2.9 | 7 / 3 | |
| 1.2.8 | 7 / 3 | |
| 1.2.7 | 7 / 3 | |
| 1.2.6 | 7 / 3 | |
| 1.2.5 | 7 / 3 | |
| 1.2.4 | 7 / 3 | |
| 1.2.3 | 7 / 3 | |
| 1.2.2 | 7 / 3 | |
| 1.2.1 | 7 / 3 | |
| 1.2.0 | 7 / 3 | |
| 1.1.3 | 7 / 3 | |
| 1.1.2 | 7 / 3 | |
| 1.1.1 | 7 / 3 | |
| 1.1.0 | 7 / 3 | |
| 1.0.3 | 8 / 3 | |
| 1.0.2 | 8 / 3 | |
| 0.28.0 | 14 / 4 | |
| 0.26.0 | 14 / 4 | |
| 0.25.1 | 12 / 4 | |
| 0.25.0 | 12 / 4 | |
| 0.24.0 | 12 / 4 |
v1.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.0
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/studio/blob/dd8b2ee3a7a0e646d979f996283aec814b7c6ebd/src/index.ts#L402 400 | const bindings = withBindings({ 401 | authToken: req.headers.get("authorization") ?? null, > 402 | env: { ...process.env, ...env }, 403 | server, 404 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.1
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/studio/blob/336ed8cbf5abbb0808e3efb9ddcb75d865674fc3/src/index.ts#L401 399 | const bindings = withBindings({ 400 | authToken: req.headers.get("authorization") ?? null, > 401 | env: { ...process.env, ...env }, 402 | server, 403 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/studio/blob/8680511ba8d98baa4d4cf4b9ac507ed44cd479cd/src/index.ts#L401 399 | const bindings = withBindings({ 400 | authToken: req.headers.get("authorization") ?? null, > 401 | env: { ...process.env, ...env }, 402 | server, 403 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.15
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/studio/blob/33fdd4d6b38576e088a287937ac2a74878077307/src/index.ts#L401 399 | const bindings = withBindings({ 400 | authToken: req.headers.get("authorization") ?? null, > 401 | env: { ...process.env, ...env }, 402 | server, 403 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.14
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/studio/blob/5d309986c76f1664362931f273f1f4c9b651ada0/src/index.ts#L401 399 | const bindings = withBindings({ 400 | authToken: req.headers.get("authorization") ?? null, > 401 | env: { ...process.env, ...env }, 402 | server, 403 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.13
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/studio/blob/72b455216b87824a6b0cd047eb539be05ee9c4f4/src/index.ts#L401 399 | const bindings = withBindings({ 400 | authToken: req.headers.get("authorization") ?? null, > 401 | env: { ...process.env, ...env }, 402 | server, 403 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.12
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/mesh/blob/7aadcb268b07c5ef86ef11a8601902aa5d6e0e59/src/index.ts#L401 399 | const bindings = withBindings({ 400 | authToken: req.headers.get("authorization") ?? null, > 401 | env: { ...process.env, ...env }, 402 | server, 403 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.11
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.ts#L61 59 | /** 60 | * Check if a resolved file path is safely within the allowed base directory. > 61 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 62 | * 63 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.ts#L70 68 | * ```ts 69 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 70 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 71 | * ``` 72 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/asset-server/index.ts#L102 100 | * // "/app/client/style.css" 101 | * > 102 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 103 | * // null (blocked) 104 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/mesh/blob/70fb3217256f2ea36bafd5c4593e1b87d1f4c763/src/index.ts#L399 397 | const bindings = withBindings({ 398 | authToken: req.headers.get("authorization") ?? null, > 399 | env: { ...process.env, ...env }, 400 | server, 401 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.10
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.ts#L37 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.ts#L46 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/asset-server/index.ts#L78 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/mesh/blob/454fd3cb49f990b382ddac8349d156ca2deddfc4/src/index.ts#L382 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.9
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.ts#L37 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.ts#L46 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/asset-server/index.ts#L78 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/mesh/blob/0d95b8eed14ee53daabc79198df27a1d5fe772cf/src/index.ts#L382 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.8
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.ts#L37 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.ts#L46 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/asset-server/index.ts#L78 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/mesh/blob/637b3757c7de080aaa1c1556d386db7928bbcc1c/src/index.ts#L382 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.7
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L49 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L53 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L116 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L117 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L120 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L121 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L124 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L125 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L128 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L129 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L141 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L142 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L143 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L146 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.test.ts#L147 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.ts#L37 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.ts#L46 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/asset-server/index.ts#L78 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/decocms/mesh/blob/df0347533f7ed5c17612ca11df459164e271e3f6/src/index.ts#L382 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.6
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.5
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.4
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.3
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.2
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.1
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 380 | const bindings = withBindings({ 381 | authToken: req.headers.get("authorization") ?? null, > 382 | env: { ...process.env, ...env }, 383 | server, 384 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.3
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 374 | const bindings = withBindings({ 375 | authToken: req.headers.get("authorization") ?? null, > 376 | env: { ...process.env, ...env }, 377 | server, 378 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.2
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 374 | const bindings = withBindings({ 375 | authToken: req.headers.get("authorization") ?? null, > 376 | env: { ...process.env, ...env }, 377 | server, 378 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.1
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 374 | const bindings = withBindings({ 375 | authToken: req.headers.get("authorization") ?? null, > 376 | env: { ...process.env, ...env }, 377 | server, 378 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 370 | const bindings = withBindings({ 371 | authToken: req.headers.get("authorization") ?? null, > 372 | env: { ...process.env, ...env }, 373 | server, 374 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 370 | const bindings = withBindings({ 371 | authToken: req.headers.get("authorization") ?? null, > 372 | env: { ...process.env, ...env }, 373 | server, 374 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
20 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 47 | 48 | test("blocks traversal to root", () => { > 49 | expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false); 50 | }); 51 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | 52 | test("blocks traversal with ../ sequence", () => { > 53 | const traversalPath = resolve(baseDir, "../../../etc/passwd"); 54 | expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false); 55 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 114 | 115 | describe("path traversal attacks - BLOCKED", () => { > 116 | test("blocks /../../../etc/passwd", () => { 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 115 | describe("path traversal attacks - BLOCKED", () => { 116 | test("blocks /../../../etc/passwd", () => { > 117 | expect(resolvePath("/../../../etc/passwd")).toBeNull(); 118 | }); 119 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | }); 119 | > 120 | test("blocks /assets/../../../etc/passwd", () => { 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 119 | 120 | test("blocks /assets/../../../etc/passwd", () => { > 121 | expect(resolvePath("/assets/../../../etc/passwd")).toBeNull(); 122 | }); 123 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 122 | }); 123 | > 124 | test("blocks /./../../etc/passwd", () => { 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | 124 | test("blocks /./../../etc/passwd", () => { > 125 | expect(resolvePath("/./../../etc/passwd")).toBeNull(); 126 | }); 127 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 126 | }); 127 | > 128 | test("blocks /../etc/passwd", () => { 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 127 | 128 | test("blocks /../etc/passwd", () => { > 129 | expect(resolvePath("/../etc/passwd")).toBeNull(); 130 | }); 131 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 139 | }); 140 | > 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull();
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 140 | 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { > 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 141 | test("blocks //etc/passwd (resolves to absolute path)", () => { 142 | // Double slash after stripping leading / becomes /etc/passwd (absolute) > 143 | expect(resolvePath("//etc/passwd")).toBeNull(); 144 | }); 145 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 144 | }); 145 | > 146 | test("blocks /valid/../../../etc/passwd", () => { 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 145 | 146 | test("blocks /valid/../../../etc/passwd", () => { > 147 | expect(resolvePath("/valid/../../../etc/passwd")).toBeNull(); 148 | }); 149 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 35 | /** 36 | * Check if a resolved file path is safely within the allowed base directory. > 37 | * Prevents path traversal attacks (e.g., /../../../etc/passwd). 38 | * 39 | * @param filePath - The resolved absolute file path
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 44 | * ```ts 45 | * isPathWithinDirectory("/app/client/style.css", "/app/client") // true > 46 | * isPathWithinDirectory("/etc/passwd", "/app/client") // false 47 | * ``` 48 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 76 | * // "/app/client/style.css" 77 | * > 78 | * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" }) 79 | * // null (blocked) 80 | * ```
Spreading entire process.env into an object — may capture all secrets 370 | const bindings = withBindings({ 371 | authToken: req.headers.get("authorization") ?? null, > 372 | env: { ...process.env, ...env }, 373 | server, 374 | tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.