Extends the DIS scanner and its shared permission-rules lib with a third
documented Claude Code permission footgun. Verified verbatim against
code.claude.com/docs/en/permissions (fetched 2026-06-19).
CC's Tool(param:value) matching (2.1.178) is off-limits for a tool's own
canonicalizing field — CC ignores such a rule and emits a startup warning,
because e.g. Bash(command:rm *) is bypassable by a compound command. The
forbidden fields: command (Bash/PowerShell), file_path (Read/Edit/Write),
path (Grep/Glob), notebook_path (NotebookEdit), url (WebFetch).
- lib/permission-rules.mjs: new forbiddenParamRule(entry) returning
{ tool, key, hint } or null. Only the param:value form (colon present)
whose key equals the tool's forbidden field is flagged; Bash(npm:*),
WebFetch(domain:host), Agent(model:opus), and Bash(command) (no colon)
are left valid. FORBIDDEN_PARAMS map is the single source of truth.
- DIS: scans allow + deny + ask and splits severity by intent — deny/ask
hits are false security (medium: the block never applies), allow hits are
dead config (low: param:value matching is deny/ask-only). Two findings,
permissions-hygiene, CA-DIS-NNN.
- 11 new tests (7 lib, 4 DIS) + 1 fixture forbidden-param-permissions
(force-added past .gitignore .claude/). Suite 918 -> 929. Snapshot
unchanged (SC-5 byte-equal), contamination grep clean, gitleaks clean.
README/CLAUDE document the broadened DIS mandate; test badge synced.
self-audit: PASS, configGrade A 97, pluginGrade A 100, scanners 13.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
184 lines
7.7 KiB
JavaScript
184 lines
7.7 KiB
JavaScript
import { describe, it } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import {
|
|
parseRule,
|
|
paramMatches,
|
|
dominates,
|
|
rulesIntersect,
|
|
isIneffectiveAllowGlob,
|
|
forbiddenParamRule,
|
|
} from '../../scanners/lib/permission-rules.mjs';
|
|
|
|
describe('permission-rules — parseRule', () => {
|
|
it('bare tool → param null', () => {
|
|
assert.deepEqual(parseRule('Bash'), { tool: 'Bash', param: null });
|
|
});
|
|
|
|
it('param-qualified tool → tool + param', () => {
|
|
assert.deepEqual(parseRule('Bash(npm:*)'), { tool: 'Bash', param: 'npm:*' });
|
|
});
|
|
|
|
it('domain rule → tool + param', () => {
|
|
assert.deepEqual(parseRule('WebFetch(domain:example.com)'), {
|
|
tool: 'WebFetch',
|
|
param: 'domain:example.com',
|
|
});
|
|
});
|
|
|
|
it('non-string → tool null', () => {
|
|
assert.equal(parseRule(null).tool, null);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — paramMatches (glob)', () => {
|
|
it('wildcard matches any suffix', () => {
|
|
assert.equal(paramMatches('domain:*', 'domain:good.com'), true);
|
|
assert.equal(paramMatches('npm:*', 'npm:install'), true);
|
|
});
|
|
|
|
it('exact literal matches', () => {
|
|
assert.equal(paramMatches('domain:good.com', 'domain:good.com'), true);
|
|
});
|
|
|
|
it('distinct literals do not match', () => {
|
|
assert.equal(paramMatches('domain:evil.com', 'domain:good.com'), false);
|
|
assert.equal(paramMatches('model:opus', 'model:sonnet'), false);
|
|
});
|
|
|
|
it('literal pattern does not match a wildcard value', () => {
|
|
assert.equal(paramMatches('domain:good.com', 'domain:*'), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — dominates (deny fully covers allow → dead allow)', () => {
|
|
it('bare deny covers any param-qualified allow', () => {
|
|
assert.equal(dominates('Bash', 'Bash(npm:*)'), true);
|
|
});
|
|
|
|
it('exact param deny covers identical allow', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent(model:opus)'), true);
|
|
});
|
|
|
|
it('wildcard deny covers matching literal allow', () => {
|
|
assert.equal(dominates('WebFetch(domain:*)', 'WebFetch(domain:example.com)'), true);
|
|
});
|
|
|
|
it('distinct param deny does NOT cover a different param allow (the false positive)', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent(model:sonnet)'), false);
|
|
assert.equal(dominates('WebFetch(domain:evil.com)', 'WebFetch(domain:good.com)'), false);
|
|
});
|
|
|
|
it('specific deny does NOT cover a bare allow (sonnet still allowed)', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent'), false);
|
|
});
|
|
|
|
it('deny-all glob Tool(*) covers a bare allow (Bash(*) ≡ bare Bash deny)', () => {
|
|
// CC: "Bash(*) is equivalent to Bash ... As a deny rule, both forms remove
|
|
// the tool from Claude's context." So Bash(*) deny kills a bare Bash allow.
|
|
assert.equal(dominates('Bash(*)', 'Bash'), true);
|
|
assert.equal(dominates('Bash(*)', 'Bash(npm:*)'), true);
|
|
});
|
|
|
|
it('different tools never dominate', () => {
|
|
assert.equal(dominates('Bash', 'Read'), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — isIneffectiveAllowGlob (CC silently skips these allow entries)', () => {
|
|
it('unanchored tool-name globs are ineffective', () => {
|
|
assert.equal(isIneffectiveAllowGlob('*'), true);
|
|
assert.equal(isIneffectiveAllowGlob('B*'), true);
|
|
assert.equal(isIneffectiveAllowGlob('mcp__*'), true);
|
|
assert.equal(isIneffectiveAllowGlob('mcp__*__foo'), true); // glob in server segment
|
|
});
|
|
|
|
it('MCP globs anchored to a literal server are valid (not flagged)', () => {
|
|
assert.equal(isIneffectiveAllowGlob('mcp__puppeteer__*'), false);
|
|
assert.equal(isIneffectiveAllowGlob('mcp__github__get_*'), false);
|
|
});
|
|
|
|
it('non-glob and specifier forms are valid (not flagged)', () => {
|
|
assert.equal(isIneffectiveAllowGlob('Bash'), false); // legit match-all-tool allow
|
|
assert.equal(isIneffectiveAllowGlob('mcp__puppeteer'), false); // legit match-all-server
|
|
assert.equal(isIneffectiveAllowGlob('Bash(npm run *)'), false);// glob inside specifier is fine
|
|
assert.equal(isIneffectiveAllowGlob('Read(src/**)'), false);
|
|
});
|
|
|
|
it('non-string → false', () => {
|
|
assert.equal(isIneffectiveAllowGlob(null), false);
|
|
assert.equal(isIneffectiveAllowGlob(undefined), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — forbiddenParamRule (CC ignores Tool(param:value) for the tool\'s own canonicalizing field)', () => {
|
|
// CC: "Fields that a tool already matches with its own canonicalizing rules
|
|
// are not matchable this way: command for Bash and PowerShell, file_path for
|
|
// Read/Edit/Write, path for Grep/Glob, notebook_path for NotebookEdit, and
|
|
// url for WebFetch. ... Claude Code ignores it and emits a startup warning."
|
|
// (code.claude.com/docs/en/permissions — "Match by input parameter")
|
|
|
|
it('flags command: for Bash and PowerShell', () => {
|
|
assert.equal(forbiddenParamRule('Bash(command:rm *)').key, 'command');
|
|
assert.equal(forbiddenParamRule('PowerShell(command:Remove-Item *)').key, 'command');
|
|
});
|
|
|
|
it('flags file_path: for Read/Edit/Write', () => {
|
|
assert.equal(forbiddenParamRule('Read(file_path:/etc/passwd)').key, 'file_path');
|
|
assert.equal(forbiddenParamRule('Edit(file_path:/src/x)').tool, 'Edit');
|
|
assert.equal(forbiddenParamRule('Write(file_path:/src/x)').tool, 'Write');
|
|
});
|
|
|
|
it('flags path: for Grep/Glob, notebook_path: for NotebookEdit, url: for WebFetch', () => {
|
|
assert.equal(forbiddenParamRule('Grep(path:/secrets)').key, 'path');
|
|
assert.equal(forbiddenParamRule('Glob(path:/secrets)').key, 'path');
|
|
assert.equal(forbiddenParamRule('NotebookEdit(notebook_path:/nb.ipynb)').key, 'notebook_path');
|
|
assert.equal(forbiddenParamRule('WebFetch(url:http://evil.com)').key, 'url');
|
|
});
|
|
|
|
it('returns a tool-specific correct-syntax hint', () => {
|
|
assert.match(forbiddenParamRule('Bash(command:rm *)').hint, /Bash\(/);
|
|
assert.match(forbiddenParamRule('WebFetch(url:http://x)').hint, /domain:/);
|
|
});
|
|
|
|
it('does NOT flag valid specifier/param syntax for the same tools', () => {
|
|
assert.equal(forbiddenParamRule('Bash(npm:*)'), null); // npm: is a trailing-wildcard prefix, not command:
|
|
assert.equal(forbiddenParamRule('WebFetch(domain:good.com)'), null); // domain: is the valid WebFetch syntax
|
|
assert.equal(forbiddenParamRule('Read(./path)'), null); // gitignore-style path, no param:value
|
|
assert.equal(forbiddenParamRule('Bash(command)'), null); // literal command-prefix, no colon
|
|
});
|
|
|
|
it('does NOT flag param:value on tools that have no forbidden field', () => {
|
|
assert.equal(forbiddenParamRule('Agent(model:opus)'), null);
|
|
assert.equal(forbiddenParamRule('Bash(run_in_background:true)'), null);
|
|
});
|
|
|
|
it('bare tools and non-strings → null', () => {
|
|
assert.equal(forbiddenParamRule('Bash'), null);
|
|
assert.equal(forbiddenParamRule('Bash(*)'), null);
|
|
assert.equal(forbiddenParamRule(null), null);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — rulesIntersect (cross-scope conflict)', () => {
|
|
it('exact same rule intersects', () => {
|
|
assert.equal(rulesIntersect('Bash(npm run *)', 'Bash(npm run *)'), true);
|
|
});
|
|
|
|
it('bare tool intersects any param of same tool', () => {
|
|
assert.equal(rulesIntersect('Bash', 'Bash(npm:*)'), true);
|
|
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent'), true);
|
|
});
|
|
|
|
it('wildcard intersects matching literal (currently a false negative)', () => {
|
|
assert.equal(rulesIntersect('WebFetch(domain:*)', 'WebFetch(domain:good.com)'), true);
|
|
assert.equal(rulesIntersect('WebFetch(domain:good.com)', 'WebFetch(domain:*)'), true);
|
|
});
|
|
|
|
it('distinct literal params are disjoint (no conflict)', () => {
|
|
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent(model:sonnet)'), false);
|
|
});
|
|
|
|
it('different tools never intersect', () => {
|
|
assert.equal(rulesIntersect('Read', 'Write'), false);
|
|
});
|
|
});
|