mark/master-ai
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve path isolation bug in fs_tree, fs_list, fs_glob and fs_grep by defaulting to empty path instead of /workspace

Browse Source
This commit is contained in:
mawkone
2026-06-02 12:45:01 -07:00
parent c29587b24f
commit df4cae2a5c
1 changed files with 4 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
vibn-frontend/app/api/mcp/route.ts
View File

@@ -5083,10 +5083,7 @@ async function toolFsList(principal: Principal, params: Record<string, any>) {
if (guard) return guard; if (guard) return guard;
const project = await resolveProjectOr404(principal, params); const project = await resolveProjectOr404(principal, params);
if (project instanceof NextResponse) return project; if (project instanceof NextResponse) return project;
const path = normalizeFsPath( const path = normalizeFsPath(String(params.path ?? ""), project.slug);
String(params.path ?? "/workspace"),
project.slug,
);
if (path instanceof NextResponse) return path; if (path instanceof NextResponse) return path;
const cmd = `cd ${shq(path)} && ls -lA --time-style=long-iso 2>&1 | head -200`; const cmd = `cd ${shq(path)} && ls -lA --time-style=long-iso 2>&1 | head -200`;
const r = await runFsCmd(principal, project, cmd); const r = await runFsCmd(principal, project, cmd);
@@ -5133,7 +5130,7 @@ async function toolFsGlob(principal: Principal, params: Record<string, any>) {
{ status: 400 }, { status: 400 },
); );
} }
const cwd = normalizeFsPath(String(params.cwd ?? "/workspace"), project.slug); const cwd = normalizeFsPath(String(params.cwd ?? ""), project.slug);
if (cwd instanceof NextResponse) return cwd; if (cwd instanceof NextResponse) return cwd;
// ripgrep --files --glob is faster + smarter than `find` and respects .gitignore. // ripgrep --files --glob is faster + smarter than `find` and respects .gitignore.
const cmd = `cd ${shq(cwd)} && rg --files --glob ${shq(pattern)} | head -500`; const cmd = `cd ${shq(cwd)} && rg --files --glob ${shq(pattern)} | head -500`;
@@ -5159,7 +5156,7 @@ async function toolFsGrep(principal: Principal, params: Record<string, any>) {
{ status: 400 }, { status: 400 },
); );
} }
const cwd = normalizeFsPath(String(params.cwd ?? "/workspace"), project.slug); const cwd = normalizeFsPath(String(params.cwd ?? ""), project.slug);
if (cwd instanceof NextResponse) return cwd; if (cwd instanceof NextResponse) return cwd;
const glob = const glob =
typeof params.glob === "string" && params.glob.trim() typeof params.glob === "string" && params.glob.trim()
@@ -6131,10 +6128,7 @@ async function toolFsTree(principal: Principal, params: Record<string, any>) {
if (guard) return guard; if (guard) return guard;
const project = await resolveProjectOr404(principal, params); const project = await resolveProjectOr404(principal, params);
if (project instanceof NextResponse) return project; if (project instanceof NextResponse) return project;
const path = normalizeFsPath( const path = normalizeFsPath(String(params.path ?? ""), project.slug);
String(params.path ?? "/workspace"),
project.slug,
);
if (path instanceof NextResponse) return path; if (path instanceof NextResponse) return path;
// Use find to generate a tree structure, ignoring node_modules and .git // Use find to generate a tree structure, ignoring node_modules and .git