Skip to main content
Glama

vulcan-file-ops

by n0zer0d4y
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Local
MIT License
31
6
.snyk5.62 kB
# Snyk (https://snyk.io) policy file version: v1.22.1 # Manual Snyk policy file for security audit findings # Created: 2025-11-15 # Reference: docs/SNYK_VULNERABILITY_AUDIT_2025.md # Ignore rules for validated false positives # All path traversal findings have been manually audited and validated as false positives # See comprehensive analysis in docs/SNYK_VULNERABILITY_AUDIT_2025.md ignore: # HIGH Severity - Path Traversal in write_file PDF operations 'SNYK-JS-VULCANFILEOPS-PATH-TRAVERSAL-WRITE-PDF': - 'src/tools/write-tools.ts': reason: | FALSE POSITIVE - Path is validated by validatePath() before reaching fs.writeFile(). validatePath() enforces: 1. Canonical path resolution (path.resolve + path.normalize) 2. Allowed directory boundary checking with path separator requirement 3. Symlink resolution and target validation 4. Parent directory validation for new files Prevents: CWE-23, CVE-2025-54794, CVE-2025-53109, CVE-2025-53110 expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' # HIGH Severity - Path Traversal in write_file DOCX operations 'SNYK-JS-VULCANFILEOPS-PATH-TRAVERSAL-WRITE-DOCX': - 'src/tools/write-tools.ts': reason: | FALSE POSITIVE - Path is validated by validatePath() before reaching fs.writeFile(). Same comprehensive validation as PDF operations above. See security annotations in code (lines 81, 87, 97, 103). expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' # MEDIUM Severity - Path Traversal in writeFileContent 'SNYK-JS-VULCANFILEOPS-PATH-TRAVERSAL-WRITEFILECONTENT': - 'src/utils/lib.ts': reason: | FALSE POSITIVE - writeFileContent() is only called after upstream validatePath(). Function implements additional security: - 'wx' flag prevents writes through pre-existing symlinks - Atomic rename prevents TOCTOU race conditions All callers enforce validatePath() first (defense-in-depth). expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' # MEDIUM Severity - Path Traversal in processFileEditRequest 'SNYK-JS-VULCANFILEOPS-PATH-TRAVERSAL-EDIT-REQUEST': - 'src/tools/write-tools.ts': reason: | FALSE POSITIVE - First operation in processFileEditRequest() is validatePath(). All edit operations must pass through this validation. See security annotations in code (lines 122-123). expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' # MEDIUM Severity - Path Traversal in write_multiple_files 'SNYK-JS-VULCANFILEOPS-PATH-TRAVERSAL-WRITE-MULTIPLE': - 'src/tools/write-tools.ts': reason: | FALSE POSITIVE - All paths validated in batch via validatePath() before writing. Operation fails atomically if any path validation fails. Batch validation at lines 456-473 ensures all paths are safe. expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' # MEDIUM Severity - Path Traversal in performRollback (FIXED) 'SNYK-JS-VULCANFILEOPS-PATH-TRAVERSAL-ROLLBACK': - 'src/tools/write-tools.ts': reason: | FIXED - Added explicit re-validation in performRollback() function. Paths are now re-validated via validatePath() before rollback operations. Defense-in-depth protection against edge cases where allowed directories change. Fix applied: 2025-11-15 expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' # Generic CWE-23 Path Traversal patterns ignore: 'CWE-23': - 'src/tools/write-tools.ts': reason: | All CWE-23 (Path Traversal) findings in this file are false positives. Comprehensive security architecture implemented: - Multi-layer path validation (validatePath + isPathWithinAllowedDirectories) - Canonical path resolution prevents directory traversal - Symlink target validation prevents symlink attacks - Atomic write operations prevent race conditions - Directory whitelisting enforced globally Complete analysis: docs/SNYK_VULNERABILITY_AUDIT_2025.md expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' - 'src/utils/lib.ts': reason: | All CWE-23 findings in this file are false positives. writeFileContent() and other utility functions are only called after upstream validation via validatePath(). Defense-in-depth architecture ensures multiple security layers protect against path traversal. expires: '2026-11-15T00:00:00.000Z' created: '2025-11-15T00:00:00.000Z' # Patch rules (currently none needed) patch: {} # Notes for security team: # - This policy file suppresses validated false positives from Snyk static analysis # - All findings have been manually audited and documented in SNYK_VULNERABILITY_AUDIT_2025.md # - Static analysis cannot recognize custom validatePath() security function # - Security architecture has been validated against CVE patterns: # * CVE-2025-54794 (Path Restriction Bypass) - FIXED # * CVE-2025-54795 (Command Injection) - PROTECTED # * CVE-2025-53109 (Symlink Attacks) - PROTECTED # * CVE-2025-53110 (Directory Containment Bypass) - PROTECTED # - Policy expires in 1 year for re-evaluation # - Dynamic security testing recommended to complement static analysis

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/n0zer0d4y/vulcan-file-ops'

If you have feedback or need assistance with the MCP directory API, please join our Discord server