open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security): sandboxed remote cloning v5.1.0

Browse source 
Harden git clone attack surface for remote scans with defense-in-depth:

Layer 1 (all platforms): 8 git config flags disable hooks, symlinks,
filter/smudge drivers, fsmonitor, local file protocol. 4 env vars
isolate from system/user git config and block interactive prompts.

Layer 2 (OS sandbox): macOS sandbox-exec and Linux bubblewrap (bwrap)
restrict file writes to only the specific temp directory. bwrap
probe-tests availability before use. Graceful fallback on Windows
and Ubuntu 24.04+ (git config hardening only).

Additional: post-clone 100MB size check, UUID-unique evidence filenames,
evidence file cleanup, cleanup guarantee in scan/plugin-audit commands.

32 new tests (1147 total).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-07 17:08:32 +02:00
commit 708c898754
11 changed files with 487 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

23
plugins/llm-security/README.md
View file

@ -190,6 +190,24 @@ claude plugin add plugin-marketplace/llm-security
**Injection-safe remote scanning (v2.5+):** Remote scans pre-extract structured evidence via `content-extractor.mjs` and strip injection patterns BEFORE LLM agents see the content. Agents analyze a JSON evidence package, never raw files from untrusted repos. `[INJECTION-PATTERN-STRIPPED]` markers are confirmed findings.
**Sandboxed cloning (v5.1+):** `git clone` can execute arbitrary code via `.gitattributes` filter/smudge drivers. Remote clones are now hardened with defense-in-depth:
**Layer 1 — Git config hardening (all platforms):** 8 config flags disable hooks (`core.hooksPath=/dev/null`), symlinks (`core.symlinks=false`), filter/smudge drivers (all LFS filters cleared), fsmonitor, and local file protocol. Environment variables isolate from system/user git config and block interactive prompts.
**Layer 2 — OS-level filesystem sandbox (platform-dependent):**
| Platform | Sandbox | Status |
|----------|---------|--------|
| macOS | `sandbox-exec` | Always available — restricts file writes to specific temp dir |
| Linux | `bubblewrap` (bwrap) | Works on Fedora/Arch. May require admin AppArmor config on Ubuntu 24.04+ |
| Windows | None | No practical zero-install CLI sandbox exists. Git config hardening only |
When no OS sandbox is available, the plugin warns and proceeds with git config hardening only. The sandbox is an additional defense layer — even without it, the git config flags neutralize all known `.gitattributes` attack vectors.
**Additional protections:** Post-clone size check (100MB max), UUID-unique evidence filenames (prevents race conditions), cleanup guarantee (temp files removed even on error).
**Windows guidance:** Windows has no equivalent to `sandbox-exec` or `bwrap` that ships with the OS. The most practical mitigation for Windows users is to run Claude Code itself inside a sandboxed environment (e.g., Windows Sandbox on Pro/Enterprise, Docker Desktop, or WSL2). The git config hardening layer provides baseline protection on all platforms.
Output: structured report with ALLOW / WARNING / BLOCK verdict, risk score (0-100), and findings sorted by severity.
### Audit
@ -594,8 +612,8 @@ llm-security/
│ │ ├── skill-registry.mjs # Fingerprinting, caching, pattern search
│ │ ├── file-discovery.mjs # Walk tree, filter, binary detect
│ │ ├── yaml-frontmatter.mjs # Regex-based frontmatter parser
│ │ ├── git-clone.mjs # Clone/cleanup remote repos to temp dirs
│ │ └── fs-utils.mjs # Backup, restore, cleanup, tmppath utilities
│ │ ├── git-clone.mjs # Sandboxed clone/cleanup (sandbox-exec + git config hardening)
│ │ └── fs-utils.mjs # Backup, restore, cleanup, tmppath (UUID-unique) utilities
│ ├── unicode-scanner.mjs # Zero-width, Tags, BIDI, homoglyphs
│ ├── entropy-scanner.mjs # Shannon entropy, base64/hex detection
│ ├── permission-mapper.mjs # Plugin permission analysis
@ -687,6 +705,7 @@ This plugin provides full-stack security hardening (static analysis + supply cha
| Version | Date | Highlights |
|---------|------|------------|
| **5.1.0** | 2026-04-07 | **Sandboxed remote cloning.** Defense-in-depth for `git clone` attack surface: (1) 8 git config flags disable hooks, symlinks, filter/smudge drivers, fsmonitor, local file protocol; 4 env vars isolate from system/user config. (2) OS sandbox: macOS `sandbox-exec` + Linux `bubblewrap` restrict file writes to only the clone temp dir. Graceful fallback on Windows (git config only). Post-clone size check (100MB max). UUID-unique evidence filenames prevent race conditions. Cleanup guarantee in scan/plugin-audit commands. 1147 tests (was 1115). |
| **5.0.0** | 2026-04-06 | **Prompt Injection Hardening (v5.0).** 8-session defense-in-depth overhaul driven by 7 research papers (2025-2026). MEDIUM advisory for obfuscation signals (leetspeak, homoglyphs, zero-width, multi-language). Unicode Tag steganography detection (U+E0000-E007F). Bash expansion normalization (`bash-normalize.mjs`). Rule of Two enforcement (configurable `LLM_SECURITY_TRIFECTA_MODE=block\|warn\|off`). 100-call long-horizon monitoring window with slow-burn trifecta detection. Behavioral drift via Jensen-Shannon divergence. HITL trap detection (approval urgency, summary suppression, scope minimization). Sub-agent delegation tracking (escalation-after-input advisory). NL indirection patterns. Hybrid attacks (P2SQL, recursive injection, XSS-in-agent). CaMeL-inspired data flow tagging (SHA-256 provenance, output-to-input linking). Adaptive red-team (5 mutation rounds per scenario: homoglyph, encoding, zero-width, case alternation, synonym). Knowledge base expanded: `prompt-injection-research-2025-2026.md`, `deepmind-agent-traps.md`, `attack-mutations.json`. Posture scanner expanded to 13 categories (+Prompt Injection Hardening, Rule of Two, Long-Horizon Monitoring). Defense Philosophy section documenting honest limitations. 1115 tests. |
| **4.5.1** | 2026-04-04 | **Cross-platform support.** Windows/Linux compatibility: `fileURLToPath()`, `path.dirname()`, native `fetch()` replaces `curl` subprocess, fixed tilde expansion regex. 11 files, 782 tests pass. |
| **4.5.0** | 2026-04-04 | **Attack simulation / red-team mode.** New `attack-simulator.mjs` runs 38 crafted attack scenarios across 7 categories (secrets, destructive, supply-chain, prompt-injection, pathguard, mcp-output, session-trifecta) against the plugin's own hooks. Data-driven via `knowledge/attack-scenarios.json` with runtime payload assembly. New `/security red-team` command with `--category` filter. Capstone release: v4.0 roadmap complete (S1-S6). 18 commands, 16 scanners (10 orchestrated + 6 standalone). 782 tests. |