Cut v0.1.0-beta.5#8
Merged
Merged
Conversation
Three low-risk hardening fixes from a security review. None is exploitable today; each removes a latent footgun should an input source change. - ui.ts: validate the URL before openUrl hands it to a shell on Windows (`start` is a cmd builtin). Restrict to an https `*.vercel.run` origin with a shell-safe character set via a new exported `isOpenableUrl` predicate. - ready.ts: pass the loop count and port to the waitForPort probe as bash positional args ($1/$2) instead of string-interpolating them, matching the positional-arg pattern used elsewhere. - sync.ts: add `--` to the remote `rm -f` so no target can be read as an option (targets are always absolute, so this is belt-and-suspenders). Adds unit tests for isOpenableUrl and updates the removeFiles assertion. https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
Beta feedback showed raw HTTP 403 dumps with no guidance ("No clue why i
got this or what to even do"). v0.1.0-beta.3 calmed the `up .` auth paths;
this extends the same treatment to the paths it missed:
- `up stop` had none of the calm handling: an expired/invalid token dumped
the same raw 403 the feedback flagged. Route auth failures to the
sign-in note, and turn the very common "nothing to stop" case (sandbox
expired, or stop ran from a different directory than `up .`) into a
short explanation pointing at `up ls` instead of a raw 404/410 body.
- The sign-in note assumed the Vercel CLI is installed; `vercel login` is
a dead end for newcomers without it. Add a dim hint with the install
command and the VERCEL_TOKEN alternative.
- The dev-server timeout error never named the port it was waiting on. A
dev script that binds a different port (hardcoded -p, PORT ignored) hit
a 90s wait then an unexplained timeout. Name the port and point at
--port.
https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
Beta feedback: a user declined the .env.local prompt and their app (which needed those keys) ran broken, with a nag line on every later run and the flag required on each retry. A local dotenv almost always exists because the app needs it, so lean into that: - Default the .env.local prompt to yes; the common path is one Enter. - `--env-file` now records the choice, so passing it once re-enables injection on future runs (it also overrides an earlier "no"). - A recorded "no" stays quiet instead of printing the --env-file hint on every run; the hint shows only while no decision exists. - Drop the "!" on the env line of the shared-command trust panel; env injection is the expected case, not an alarm (sensitive-config keeps its warning since that genuinely persists in snapshots). https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
`up` waited on the framework's default port even when the project's dev script bound a different one (e.g. `next dev -p 4000`, `vite --port=8000`, `PORT=4000 node server.js`). Since `pm run dev` does not forward a port flag and a hardcoded port ignores the injected PORT env var, the server came up on its own port while the supervisor polled the default, ending in a 90s timeout for a project that needed no flags. Parse an explicit port out of the dev script (--port/-p/PORT=) and use it as the profile port so the supervisor waits where the server actually binds. Conservative matching: word-boundary guarded so `--prefix`, `npm-run-all -p`, and `run-p` are not misread, and out-of-range values are ignored. Falls back to the framework default when no port is present. https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
The message fallback /not[_ ]?found/i also matched ENOTFOUND, so `up stop` while offline would report "Nothing to stop" instead of the network error, leaving the user believing a still-running sandbox (and its public URL) was stopped. Match the API status (404/410) only, like the SDK does; anything else surfaces as a real error. https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
Ships the changes from #4 and #5: hardened command construction, calmer auth/stop/timeout error paths, low-friction env-file injection, and honoring an explicit port in the project's dev script. - Add the v0.1.0-beta.4 release artifacts (sha256-checksummed bundle). - Point install.sh's default version at v0.1.0-beta.4. - Print the next step after a successful install when no PATH change is needed, so the happy path ends with what to run instead of silence. https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
Security-review follow-ups (F1, F2). F1 — cap untrusted file reads during the pre-trust scan. up.config.json is already bounded, but framework detection read package.json, and 283 of the @vercel/frameworks detectors read other files (index.js, server.ts, Cargo.toml, ...) whole into memory via the filesystem detector. A cloned repo could bloat any of them and OOM the local `up` process before any trust prompt. Detection now reads through a size-bounded filesystem detector (oversized file -> treated as empty), and readPackageJson, countDeps, and the env-file reader gained the same 4 MB guard. The env guard matters now that the .env.local prompt defaults to yes. F2 — SECURITY.md now states that `up .` runs the project's own install/dev commands in your Vercel account (the sandbox isolates them from your machine, not your account), and notes that only the dev command receives the injected env file, never the install step. https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
# Conflicts: # packages/cli/test/detect.test.ts
Ships the bounded-read hardening (#7) on top of everything in beta.4. - Add the v0.1.0-beta.5 release artifacts (sha256-checksummed bundle). - Point install.sh's default version at v0.1.0-beta.5. https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ships the bounded-read hardening (#7) to users, on top of everything already in beta.4.
v0.1.0-beta.5release artifacts underapps/downloads/public/releases/(sha256e7611132a5e1c0454d2513ebd12aaedfcec679f89194d3037948b82b06007b5d; existing release directories untouched).install.sh's default version atv0.1.0-beta.5.Verified locally:
verify-releasespasses for all five release directories,sh -non the installer, lint/build, and the immutability check (only a new directory is added). The bundle is built from this branch's source (main + #7), so the GitHub Release produced when thev0.1.0-beta.5tag is pushed will reproduce this checksum.After merge: push the tag
v0.1.0-beta.5(pointing at the merge commit) to publish the GitHub Release.https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
Generated by Claude Code