config-audit/tests/lib/permission-rules.test.mjs
Kjell Tore Guttormsen d678765fad feat(dis): flag forbidden-param permission rules CC silently ignores
Extends the DIS scanner and its shared permission-rules lib with a third
documented Claude Code permission footgun. Verified verbatim against
code.claude.com/docs/en/permissions (fetched 2026-06-19).

CC's Tool(param:value) matching (2.1.178) is off-limits for a tool's own
canonicalizing field — CC ignores such a rule and emits a startup warning,
because e.g. Bash(command:rm *) is bypassable by a compound command. The
forbidden fields: command (Bash/PowerShell), file_path (Read/Edit/Write),
path (Grep/Glob), notebook_path (NotebookEdit), url (WebFetch).

- lib/permission-rules.mjs: new forbiddenParamRule(entry) returning
  { tool, key, hint } or null. Only the param:value form (colon present)
  whose key equals the tool's forbidden field is flagged; Bash(npm:*),
  WebFetch(domain:host), Agent(model:opus), and Bash(command) (no colon)
  are left valid. FORBIDDEN_PARAMS map is the single source of truth.
- DIS: scans allow + deny + ask and splits severity by intent — deny/ask
  hits are false security (medium: the block never applies), allow hits are
  dead config (low: param:value matching is deny/ask-only). Two findings,
  permissions-hygiene, CA-DIS-NNN.
- 11 new tests (7 lib, 4 DIS) + 1 fixture forbidden-param-permissions
  (force-added past .gitignore .claude/). Suite 918 -> 929. Snapshot
  unchanged (SC-5 byte-equal), contamination grep clean, gitleaks clean.
  README/CLAUDE document the broadened DIS mandate; test badge synced.
  self-audit: PASS, configGrade A 97, pluginGrade A 100, scanners 13.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-19 14:04:25 +02:00

184 lines
7.7 KiB
JavaScript

import { describe, it } from 'node:test';
import assert from 'node:assert/strict';
import {
parseRule,
paramMatches,
dominates,
rulesIntersect,
isIneffectiveAllowGlob,
forbiddenParamRule,
} from '../../scanners/lib/permission-rules.mjs';
describe('permission-rules — parseRule', () => {
it('bare tool → param null', () => {
assert.deepEqual(parseRule('Bash'), { tool: 'Bash', param: null });
});
it('param-qualified tool → tool + param', () => {
assert.deepEqual(parseRule('Bash(npm:*)'), { tool: 'Bash', param: 'npm:*' });
});
it('domain rule → tool + param', () => {
assert.deepEqual(parseRule('WebFetch(domain:example.com)'), {
tool: 'WebFetch',
param: 'domain:example.com',
});
});
it('non-string → tool null', () => {
assert.equal(parseRule(null).tool, null);
});
});
describe('permission-rules — paramMatches (glob)', () => {
it('wildcard matches any suffix', () => {
assert.equal(paramMatches('domain:*', 'domain:good.com'), true);
assert.equal(paramMatches('npm:*', 'npm:install'), true);
});
it('exact literal matches', () => {
assert.equal(paramMatches('domain:good.com', 'domain:good.com'), true);
});
it('distinct literals do not match', () => {
assert.equal(paramMatches('domain:evil.com', 'domain:good.com'), false);
assert.equal(paramMatches('model:opus', 'model:sonnet'), false);
});
it('literal pattern does not match a wildcard value', () => {
assert.equal(paramMatches('domain:good.com', 'domain:*'), false);
});
});
describe('permission-rules — dominates (deny fully covers allow → dead allow)', () => {
it('bare deny covers any param-qualified allow', () => {
assert.equal(dominates('Bash', 'Bash(npm:*)'), true);
});
it('exact param deny covers identical allow', () => {
assert.equal(dominates('Agent(model:opus)', 'Agent(model:opus)'), true);
});
it('wildcard deny covers matching literal allow', () => {
assert.equal(dominates('WebFetch(domain:*)', 'WebFetch(domain:example.com)'), true);
});
it('distinct param deny does NOT cover a different param allow (the false positive)', () => {
assert.equal(dominates('Agent(model:opus)', 'Agent(model:sonnet)'), false);
assert.equal(dominates('WebFetch(domain:evil.com)', 'WebFetch(domain:good.com)'), false);
});
it('specific deny does NOT cover a bare allow (sonnet still allowed)', () => {
assert.equal(dominates('Agent(model:opus)', 'Agent'), false);
});
it('deny-all glob Tool(*) covers a bare allow (Bash(*) ≡ bare Bash deny)', () => {
// CC: "Bash(*) is equivalent to Bash ... As a deny rule, both forms remove
// the tool from Claude's context." So Bash(*) deny kills a bare Bash allow.
assert.equal(dominates('Bash(*)', 'Bash'), true);
assert.equal(dominates('Bash(*)', 'Bash(npm:*)'), true);
});
it('different tools never dominate', () => {
assert.equal(dominates('Bash', 'Read'), false);
});
});
describe('permission-rules — isIneffectiveAllowGlob (CC silently skips these allow entries)', () => {
it('unanchored tool-name globs are ineffective', () => {
assert.equal(isIneffectiveAllowGlob('*'), true);
assert.equal(isIneffectiveAllowGlob('B*'), true);
assert.equal(isIneffectiveAllowGlob('mcp__*'), true);
assert.equal(isIneffectiveAllowGlob('mcp__*__foo'), true); // glob in server segment
});
it('MCP globs anchored to a literal server are valid (not flagged)', () => {
assert.equal(isIneffectiveAllowGlob('mcp__puppeteer__*'), false);
assert.equal(isIneffectiveAllowGlob('mcp__github__get_*'), false);
});
it('non-glob and specifier forms are valid (not flagged)', () => {
assert.equal(isIneffectiveAllowGlob('Bash'), false); // legit match-all-tool allow
assert.equal(isIneffectiveAllowGlob('mcp__puppeteer'), false); // legit match-all-server
assert.equal(isIneffectiveAllowGlob('Bash(npm run *)'), false);// glob inside specifier is fine
assert.equal(isIneffectiveAllowGlob('Read(src/**)'), false);
});
it('non-string → false', () => {
assert.equal(isIneffectiveAllowGlob(null), false);
assert.equal(isIneffectiveAllowGlob(undefined), false);
});
});
describe('permission-rules — forbiddenParamRule (CC ignores Tool(param:value) for the tool\'s own canonicalizing field)', () => {
// CC: "Fields that a tool already matches with its own canonicalizing rules
// are not matchable this way: command for Bash and PowerShell, file_path for
// Read/Edit/Write, path for Grep/Glob, notebook_path for NotebookEdit, and
// url for WebFetch. ... Claude Code ignores it and emits a startup warning."
// (code.claude.com/docs/en/permissions — "Match by input parameter")
it('flags command: for Bash and PowerShell', () => {
assert.equal(forbiddenParamRule('Bash(command:rm *)').key, 'command');
assert.equal(forbiddenParamRule('PowerShell(command:Remove-Item *)').key, 'command');
});
it('flags file_path: for Read/Edit/Write', () => {
assert.equal(forbiddenParamRule('Read(file_path:/etc/passwd)').key, 'file_path');
assert.equal(forbiddenParamRule('Edit(file_path:/src/x)').tool, 'Edit');
assert.equal(forbiddenParamRule('Write(file_path:/src/x)').tool, 'Write');
});
it('flags path: for Grep/Glob, notebook_path: for NotebookEdit, url: for WebFetch', () => {
assert.equal(forbiddenParamRule('Grep(path:/secrets)').key, 'path');
assert.equal(forbiddenParamRule('Glob(path:/secrets)').key, 'path');
assert.equal(forbiddenParamRule('NotebookEdit(notebook_path:/nb.ipynb)').key, 'notebook_path');
assert.equal(forbiddenParamRule('WebFetch(url:http://evil.com)').key, 'url');
});
it('returns a tool-specific correct-syntax hint', () => {
assert.match(forbiddenParamRule('Bash(command:rm *)').hint, /Bash\(/);
assert.match(forbiddenParamRule('WebFetch(url:http://x)').hint, /domain:/);
});
it('does NOT flag valid specifier/param syntax for the same tools', () => {
assert.equal(forbiddenParamRule('Bash(npm:*)'), null); // npm: is a trailing-wildcard prefix, not command:
assert.equal(forbiddenParamRule('WebFetch(domain:good.com)'), null); // domain: is the valid WebFetch syntax
assert.equal(forbiddenParamRule('Read(./path)'), null); // gitignore-style path, no param:value
assert.equal(forbiddenParamRule('Bash(command)'), null); // literal command-prefix, no colon
});
it('does NOT flag param:value on tools that have no forbidden field', () => {
assert.equal(forbiddenParamRule('Agent(model:opus)'), null);
assert.equal(forbiddenParamRule('Bash(run_in_background:true)'), null);
});
it('bare tools and non-strings → null', () => {
assert.equal(forbiddenParamRule('Bash'), null);
assert.equal(forbiddenParamRule('Bash(*)'), null);
assert.equal(forbiddenParamRule(null), null);
});
});
describe('permission-rules — rulesIntersect (cross-scope conflict)', () => {
it('exact same rule intersects', () => {
assert.equal(rulesIntersect('Bash(npm run *)', 'Bash(npm run *)'), true);
});
it('bare tool intersects any param of same tool', () => {
assert.equal(rulesIntersect('Bash', 'Bash(npm:*)'), true);
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent'), true);
});
it('wildcard intersects matching literal (currently a false negative)', () => {
assert.equal(rulesIntersect('WebFetch(domain:*)', 'WebFetch(domain:good.com)'), true);
assert.equal(rulesIntersect('WebFetch(domain:good.com)', 'WebFetch(domain:*)'), true);
});
it('distinct literal params are disjoint (no conflict)', () => {
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent(model:sonnet)'), false);
});
it('different tools never intersect', () => {
assert.equal(rulesIntersect('Read', 'Write'), false);
});
});