fix(hooks): scrub secrets and harden hook security (#348)

* fix(hooks): scrub secrets and harden hook security - Scrub common secret patterns (api_key, token, password, etc.) from observation logs before persisting to JSONL (observe.sh) - Auto-purge observation files older than 30 days (observe.sh) - Strip embedded credentials from git remote URLs before saving to projects.json (detect-project.sh) - Add command prefix allowlist to runCommand — only git, node, npx, which, where are permitted (utils.js) - Sanitize CLAUDE_SESSION_ID in temp file paths to prevent path traversal (suggest-compact.js) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(hooks): address review feedback from CodeRabbit and Cubic - Reject shell command-chaining operators (;|&`) in runCommand, strip quoted sections before checking to avoid false positives (utils.js) - Remove command string from blocked error message to avoid leaking secrets (utils.js) - Fix Python regex quoting: switch outer shell string from double to single quotes so regex compiles correctly (observe.sh) - Add optional auth scheme match (Bearer, Basic) to secret scrubber regex (observe.sh) - Scope auto-purge to current project dir and match only archived files (observations-*.jsonl), not live queue (observe.sh) - Add second fallback after session ID sanitization to prevent empty string (suggest-compact.js) - Preserve backward compatibility when credential stripping changes project hash — detect and migrate legacy directories (detect-project.sh) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(hooks): block $() substitution, fix Bearer redaction, add security tests - Add $ and \n to blocked shell metacharacters in runCommand to prevent command substitution via $(cmd) and newline injection (utils.js) - Make auth scheme group capturing so Bearer/Basic is preserved in redacted output instead of being silently dropped (observe.sh) - Add 10 unit tests covering runCommand allowlist blocking (rm, curl, bash prefixes) and metacharacter rejection (;|&`$ chaining), plus error message leak prevention (utils.test.js) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(hooks): scrub parse-error fallback, strengthen security tests Address remaining reviewer feedback from CodeRabbit and Cubic: - Scrub secrets in observe.sh parse-error fallback path (was writing raw unsanitized input to observations file) - Remove redundant re.IGNORECASE flag ((?i) inline flag already set) - Add inline comment documenting quote-stripping limitation trade-off - Fix misleading test name for error-output test - Add 5 new security tests: single-quote passthrough, mixed quoted+unquoted metacharacters, prefix boundary (no trailing space), npx acceptance, and newline injection - Improve existing quoted-metacharacter test to actually exercise quote-stripping logic Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(security): block $() and backtick inside quotes in runCommand Shell evaluates $() and backticks inside double quotes, so checking only the unquoted portion was insufficient. Now $ and ` are rejected anywhere in the command string, while ; | & remain quote-aware. Addresses CodeRabbit and Cubic review feedback on PR #348. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-30 13:43:26 +08:00 · 2026-03-08 08:47:31 +10:00
parent 03b3e0d0da
commit 9661a6f042
5 changed files with 193 additions and 22 deletions
--- a/tests/lib/utils.test.js
+++ b/tests/lib/utils.test.js
@@ -976,13 +976,120 @@ function runTests() {
    assert.ok(result.output.includes('custom error'), 'Should include stderr output');
  })) passed++; else failed++;

-  if (test('runCommand falls back to err.message when no stderr', () => {
-    // An invalid command that won't produce stderr through child process
-    const result = utils.runCommand('nonexistent_cmd_xyz_12345');
+  if (test('runCommand returns error output on failed command', () => {
+    // Use an allowed prefix with a nonexistent subcommand to reach execSync
+    const result = utils.runCommand('git nonexistent-subcmd-xyz-12345');
    assert.strictEqual(result.success, false);
    assert.ok(result.output.length > 0, 'Should have some error output');
  })) passed++; else failed++;

+  // ── runCommand security: allowlist and metacharacter blocking ──
+  console.log('\nrunCommand Security (allowlist + metacharacters):');
+
+  if (test('runCommand blocks disallowed command prefix', () => {
+    const result = utils.runCommand('rm -rf /');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('unrecognized command prefix'), 'Should mention blocked prefix');
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks curl command', () => {
+    const result = utils.runCommand('curl http://example.com');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('unrecognized command prefix'));
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks bash command', () => {
+    const result = utils.runCommand('bash -c "echo hello"');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('unrecognized command prefix'));
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks semicolon command chaining', () => {
+    const result = utils.runCommand('git status; echo pwned');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block semicolon chaining');
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks pipe command chaining', () => {
+    const result = utils.runCommand('git log | cat');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block pipe chaining');
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks ampersand command chaining', () => {
+    const result = utils.runCommand('git status && echo pwned');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block ampersand chaining');
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks dollar sign command substitution', () => {
+    const result = utils.runCommand('git log $(whoami)');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block $ substitution');
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks backtick command substitution', () => {
+    const result = utils.runCommand('git log `whoami`');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block backtick substitution');
+  })) passed++; else failed++;
+
+  if (test('runCommand allows metacharacters inside double quotes', () => {
+    // Semicolon inside quotes should not trigger metacharacter blocking
+    const result = utils.runCommand('node -e "console.log(1);process.exit(0)"');
+    assert.strictEqual(result.success, true);
+  })) passed++; else failed++;
+
+  if (test('runCommand allows metacharacters inside single quotes', () => {
+    const result = utils.runCommand("node -e 'process.exit(0);'");
+    assert.strictEqual(result.success, true);
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks unquoted metacharacters alongside quoted ones', () => {
+    // Semicolon inside quotes is safe, but && outside is not
+    const result = utils.runCommand('git log "safe;part" && echo pwned');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'));
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks prefix without trailing space', () => {
+    // "gitconfig" starts with "git" but not "git " — must be blocked
+    const result = utils.runCommand('gitconfig --list');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('unrecognized command prefix'));
+  })) passed++; else failed++;
+
+  if (test('runCommand allows npx prefix', () => {
+    const result = utils.runCommand('npx --version');
+    assert.strictEqual(result.success, true);
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks newline command injection', () => {
+    const result = utils.runCommand('git status\necho pwned');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block newline injection');
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks $() inside double quotes (shell still evaluates)', () => {
+    // $() inside double quotes is still evaluated by the shell, so block $ everywhere
+    const result = utils.runCommand('node -e "$(whoami)"');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block $ inside quotes');
+  })) passed++; else failed++;
+
+  if (test('runCommand blocks backtick inside double quotes (shell still evaluates)', () => {
+    const result = utils.runCommand('node -e "`whoami`"');
+    assert.strictEqual(result.success, false);
+    assert.ok(result.output.includes('metacharacters not allowed'), 'Should block backtick inside quotes');
+  })) passed++; else failed++;
+
+  if (test('runCommand error message does not leak command string', () => {
+    const secret = 'rm secret_password_123';
+    const result = utils.runCommand(secret);
+    assert.strictEqual(result.success, false);
+    assert.ok(!result.output.includes('secret_password_123'), 'Should not leak command contents');
+  })) passed++; else failed++;
+
  // ── Round 31: getGitModifiedFiles with empty patterns ──
  console.log('\ngetGitModifiedFiles empty patterns (Round 31):');