zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-22 16:11:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent IOC scanner false positives on hook filenames and scan .cursor configs (#2245)

Browse Source 
* fix: prevent IOC scanner false positives on hook filenames and scan .cursor configs

The supply-chain IOC scanner matched CRITICAL_TEXT_INDICATORS with plain
substring search, so legitimate hook filenames that merely end with a known
payload name (e.g. the stock Cursor hook before-shell-execution.js vs the
payload execution.js) were flagged as CRITICAL. Indicator matching now
requires a non-filename character before the match.

Also add .cursor/ to the special config paths so Cursor hooks.json files
(a known persistence vector already listed in PERSISTENCE_FILENAMES) are
actually inspected in normal checkouts - previously they were only scanned
by accident when the repo path happened to contain /.claude/.

* test: cover underscore-prefixed filenames in IOC boundary suppression

Make explicit that '_' is treated as a filename word character, so
snake_case hook names like post_execution.js are intentionally not
flagged by the execution.js indicator (real payload references appear
after '/', quotes, or whitespace).
This commit is contained in:
daiki75
2026-06-16 02:48:50 +09:00
committed by GitHub
parent d293941643
commit e3f18d2376
2 changed files with 51 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/ci/scan-supply-chain-iocs.test.js
+39
View File
@@ -310,6 +310,45 @@ function run() {
});
})) passed++; else failed++;
if (test('does not flag legitimate hook filenames ending in an IOC filename', () => {
withFixture({
'.cursor/hooks.json': JSON.stringify({
hooks: {
beforeShellExecution: [{
command: 'node .cursor/hooks/before-shell-execution.js',
}],
afterShellExecution: [{
command: 'node .cursor/hooks/after-shell-execution.js',
}],
beforeMCPExecution: [{
command: 'node .cursor/hooks/before-mcp-execution.js',
}],
afterFileEdit: [{
command: 'node .cursor/hooks/post_execution.js',
}],
},
}, null, 2),
}, rootDir => {
const result = scanSupplyChainIocs({ rootDir });
assert.deepStrictEqual(result.findings, []);
});
})) passed++; else failed++;
if (test('still flags the bare execution.js payload after a path separator', () => {
withFixture({
'.cursor/hooks.json': JSON.stringify({
hooks: {
sessionStart: [{
command: 'node .cursor/hooks/execution.js',
}],
},
}, null, 2),
}, rootDir => {
const result = scanSupplyChainIocs({ rootDir });
assert.ok(result.findings.some(finding => finding.indicator === 'execution.js'));
});
})) passed++; else failed++;
if (test('rejects user-level VS Code task persistence when home scan is enabled', () => {
withFixture({
'home/Library/Application Support/Code/User/tasks.json': JSON.stringify({