config-audit/tests/scanners/disabled-in-schema.test.mjs
Kjell Tore Guttormsen d678765fad feat(dis): flag forbidden-param permission rules CC silently ignores
Extends the DIS scanner and its shared permission-rules lib with a third
documented Claude Code permission footgun. Verified verbatim against
code.claude.com/docs/en/permissions (fetched 2026-06-19).

CC's Tool(param:value) matching (2.1.178) is off-limits for a tool's own
canonicalizing field — CC ignores such a rule and emits a startup warning,
because e.g. Bash(command:rm *) is bypassable by a compound command. The
forbidden fields: command (Bash/PowerShell), file_path (Read/Edit/Write),
path (Grep/Glob), notebook_path (NotebookEdit), url (WebFetch).

- lib/permission-rules.mjs: new forbiddenParamRule(entry) returning
  { tool, key, hint } or null. Only the param:value form (colon present)
  whose key equals the tool's forbidden field is flagged; Bash(npm:*),
  WebFetch(domain:host), Agent(model:opus), and Bash(command) (no colon)
  are left valid. FORBIDDEN_PARAMS map is the single source of truth.
- DIS: scans allow + deny + ask and splits severity by intent — deny/ask
  hits are false security (medium: the block never applies), allow hits are
  dead config (low: param:value matching is deny/ask-only). Two findings,
  permissions-hygiene, CA-DIS-NNN.
- 11 new tests (7 lib, 4 DIS) + 1 fixture forbidden-param-permissions
  (force-added past .gitignore .claude/). Suite 918 -> 929. Snapshot
  unchanged (SC-5 byte-equal), contamination grep clean, gitleaks clean.
  README/CLAUDE document the broadened DIS mandate; test badge synced.
  self-audit: PASS, configGrade A 97, pluginGrade A 100, scanners 13.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-19 14:04:25 +02:00

182 lines
9.5 KiB
JavaScript

import { describe, it } from 'node:test';
import assert from 'node:assert/strict';
import { resolve } from 'node:path';
import { fileURLToPath } from 'node:url';
import { resetCounter } from '../../scanners/lib/output.mjs';
import { scan } from '../../scanners/disabled-in-schema-scanner.mjs';
import { discoverConfigFiles } from '../../scanners/lib/file-discovery.mjs';
const __dirname = fileURLToPath(new URL('.', import.meta.url));
const FIXTURES = resolve(__dirname, '../fixtures');
async function runScanner(fixtureName) {
resetCounter();
const path = resolve(FIXTURES, fixtureName);
const discovery = await discoverConfigFiles(path);
return scan(path, discovery);
}
describe('DIS scanner — basic structure', () => {
it('reports scanner prefix DIS', async () => {
const result = await runScanner('denied-tools-in-schema');
assert.equal(result.scanner, 'DIS');
});
it('finding IDs match CA-DIS-NNN pattern', async () => {
const result = await runScanner('denied-tools-in-schema');
for (const f of result.findings) {
assert.match(f.id, /^CA-DIS-\d{3}$/);
}
});
});
describe('DIS scanner — Bash in both arrays → finding', () => {
it('flags Bash overlap with low severity', async () => {
const result = await runScanner('denied-tools-in-schema');
const f = result.findings.find(x => /both permissions\.deny and permissions\.allow/i.test(x.title || ''));
assert.ok(f, `expected DIS finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
assert.equal(f.severity, 'low', `expected low, got ${f.severity}`);
assert.match(String(f.evidence || ''), /Bash/);
});
it('evidence references the allow + deny entries', async () => {
const result = await runScanner('denied-tools-in-schema');
const f = result.findings.find(x => /both permissions/i.test(x.title || ''));
assert.ok(f);
assert.match(String(f.evidence || ''), /allow=/);
assert.match(String(f.evidence || ''), /deny=/);
});
});
describe('DIS scanner — clean settings → no finding', () => {
it('healthy-project has no DIS findings', async () => {
const result = await runScanner('healthy-project');
const f = result.findings.find(x => /both permissions/i.test(x.title || ''));
assert.equal(f, undefined,
`expected no DIS finding for healthy-project; got: ${f?.title}`);
});
});
describe('DIS scanner — orchestrator wiring', () => {
it('DIS appears in scan-orchestrator scanner list', async () => {
const orch = await import('../../scanners/scan-orchestrator.mjs');
const path = resolve(FIXTURES, 'denied-tools-in-schema');
const env = await orch.runAllScanners(path, { filterFixtures: false });
const dis = env.scanners.find(r => r.scanner === 'DIS');
assert.ok(dis, `expected DIS in orchestrator results; got: ${env.scanners.map(r => r.scanner).join(', ')}`);
});
});
describe('DIS scanner — param-qualified permissions are param-aware', () => {
// settings.json:
// allow: Agent(model:sonnet), WebFetch(domain:good.com), Bash(npm:*)
// deny: Agent(model:opus), WebFetch(domain:evil.com), Bash
// Only the bare `Bash` deny dominates an allow (Bash(npm:*)). The param-
// qualified deny/allow pairs are DISTINCT specs (CC 2.1.178 param-matching,
// 2.1.172 domain rules) and must NOT be flagged as dead config.
it('flags exactly the Bash overlap (bare deny covers param allow)', async () => {
const result = await runScanner('param-qualified-permissions');
const f = result.findings.find(x => /both permissions/i.test(x.title || ''));
assert.ok(f, 'expected the Bash overlap to still be flagged');
assert.match(String(f.evidence || ''), /Bash/);
assert.match(String(f.description || ''), /contains 1 tool\b/);
});
it('does NOT flag Agent(model:opus)/Agent(model:sonnet) as dead config', async () => {
const result = await runScanner('param-qualified-permissions');
const f = result.findings.find(x => /both permissions/i.test(x.title || ''));
assert.doesNotMatch(String(f?.evidence || ''), /Agent/);
});
it('does NOT flag WebFetch(domain:good.com)/WebFetch(domain:evil.com) as dead config', async () => {
const result = await runScanner('param-qualified-permissions');
const f = result.findings.find(x => /both permissions/i.test(x.title || ''));
assert.doesNotMatch(String(f?.evidence || ''), /WebFetch/);
});
});
describe('DIS scanner — ineffective allow wildcards (CC skips unanchored tool-name globs)', () => {
// settings.json allow: ["mcp__*", "B*", "mcp__puppeteer__*", "Bash(npm run *)", "Read"]
// CC skips `mcp__*` and `B*` (unanchored tool-name globs) — dead config.
// `mcp__puppeteer__*` (anchored), `Bash(npm run *)` (specifier glob) and `Read` are valid.
it('flags the ineffective allow globs with low severity', async () => {
const result = await runScanner('ineffective-allow-globs');
const f = result.findings.find(x => /ineffective allow wildcard/i.test(x.title || ''));
assert.ok(f, `expected ineffective-allow-glob finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
assert.equal(f.severity, 'low', `expected low, got ${f.severity}`);
assert.match(f.id, /^CA-DIS-\d{3}$/);
});
it('evidence cites only the unanchored globs, not the valid entries', async () => {
const result = await runScanner('ineffective-allow-globs');
const f = result.findings.find(x => /ineffective allow wildcard/i.test(x.title || ''));
assert.ok(f);
assert.match(String(f.evidence || ''), /mcp__\*/);
assert.match(String(f.evidence || ''), /B\*/);
assert.doesNotMatch(String(f.evidence || ''), /puppeteer/); // anchored MCP glob is valid
assert.doesNotMatch(String(f.evidence || ''), /npm run/); // specifier glob is valid
});
it('clean settings (no unanchored globs) → no ineffective-allow finding', async () => {
const result = await runScanner('healthy-project');
const f = result.findings.find(x => /ineffective allow wildcard/i.test(x.title || ''));
assert.equal(f, undefined, `expected no ineffective-allow finding; got: ${f?.title}`);
});
});
describe('DIS scanner — forbidden-param rules CC silently ignores (Tool(param:value) on a canonicalizing field)', () => {
// fixture forbidden-param-permissions/.claude/settings.json:
// allow: Read(file_path:/etc/passwd), Bash(npm:*), WebFetch(domain:good.com)
// deny: Bash(command:rm *), Grep(path:/secrets), Agent(model:opus)
// ask: WebFetch(url:http://evil.com)
// CC ignores command:/file_path:/path:/url: and emits a startup warning.
// deny/ask hits = false security (medium); allow hits = dead config (low).
// Bash(npm:*), WebFetch(domain:good.com), Agent(model:opus) are VALID — never flagged.
it('flags deny/ask forbidden-param rules with MEDIUM severity (false security)', async () => {
const result = await runScanner('forbidden-param-permissions');
const f = result.findings.find(x => /silently ignored.*deny\/ask|deny\/ask.*forbidden param/i.test(x.title || ''));
assert.ok(f, `expected a medium forbidden-param finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
assert.equal(f.severity, 'medium', `expected medium, got ${f.severity}`);
assert.match(f.id, /^CA-DIS-\d{3}$/);
});
it('medium evidence cites the deny + ask forbidden entries, not the valid ones', async () => {
const result = await runScanner('forbidden-param-permissions');
const f = result.findings.find(x => /silently ignored.*deny\/ask|deny\/ask.*forbidden param/i.test(x.title || ''));
assert.ok(f);
assert.match(String(f.evidence || ''), /command:/); // Bash(command:rm *)
assert.match(String(f.evidence || ''), /path:/); // Grep(path:/secrets)
assert.match(String(f.evidence || ''), /url:/); // WebFetch(url:...) from ask
assert.doesNotMatch(String(f.evidence || ''), /Agent/); // model:opus is valid
});
it('flags allow forbidden-param rules with LOW severity (dead config)', async () => {
const result = await runScanner('forbidden-param-permissions');
const f = result.findings.find(x => /silently ignored.*allow|allow.*forbidden param/i.test(x.title || ''));
assert.ok(f, `expected a low forbidden-param finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
assert.equal(f.severity, 'low', `expected low, got ${f.severity}`);
assert.match(String(f.evidence || ''), /file_path:/); // Read(file_path:/etc/passwd)
assert.doesNotMatch(String(f.evidence || ''), /npm:/); // Bash(npm:*) is valid
assert.doesNotMatch(String(f.evidence || ''), /domain:/); // WebFetch(domain:...) is valid
});
it('valid param/specifier syntax produces no forbidden-param finding', async () => {
const result = await runScanner('param-qualified-permissions');
const f = result.findings.find(x => /forbidden param|silently ignored/i.test(x.title || ''));
assert.equal(f, undefined, `expected no forbidden-param finding for valid syntax; got: ${f?.title}`);
});
});
describe('DIS scanner — deny-all glob Tool(*) kills a bare allow (end-to-end)', () => {
// settings.json: allow: ["Bash"], deny: ["Bash(*)"]
// Bash(*) deny ≡ bare Bash deny → the bare Bash allow is dead config.
it('flags the bare Bash allow as dead under a Bash(*) deny', async () => {
const result = await runScanner('deny-all-glob');
const f = result.findings.find(x => /both permissions\.deny and permissions\.allow/i.test(x.title || ''));
assert.ok(f, `expected the bare Bash allow to be flagged dead; got: ${result.findings.map(x => x.title).join(' | ')}`);
assert.match(String(f.evidence || ''), /Bash/);
});
});