open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/scanners/lib
History
Kjell Tore Guttormsen 037b9644f3 feat(bash-normalize): T9 — one-level variable substitution (E10) 
Defeats split-and-substitute evasion where attackers split a destructive
command name across an assignment and a variable reference (X=rm; later
$X) so downstream regex gates miss the literal command name. T9 collects
prefix assignments (VAR=value at start of string or after ; & |) and
substitutes ${VAR} / $VAR forms with the captured value. One-level
forward-flow only — chained vars are not followed.

Documented limits in JSDoc:
- Quoted assignments (X="rm -rf") not parsed (whitespace stops capture)
- Substitution is global within string, not scoped. Acceptable because
  T3 strips unknown ${VAR} to '' afterwards.

Single-quoted literals are masked before T9 runs, so legitimate
strings are preserved (FP probe in tests).

7 new tests in bash-normalize-t7-t9.test.mjs.
Closes E10 in critical-review-2026-04-20.md.
2026-04-30 15:12:02 +02:00
..
audit-trail.mjs feat(governance): add structured JSONL audit trail with SIEM-ready schema 2026-04-10 13:25:59 +02:00
bash-normalize.mjs feat(bash-normalize): T9 — one-level variable substitution (E10) 2026-04-30 15:12:02 +02:00
bom-builder.mjs feat(scanner): add AI-BOM generator — CycloneDX 1.6 format for AI supply chain transparency 2026-04-10 13:29:30 +02:00
diff-engine.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
distribution-stats.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
file-discovery.mjs feat(llm-security)!: v7.0.0 commit 6 — tests, docs, version bump 2026-04-19 22:26:35 +02:00
fs-utils.mjs feat(llm-security): sandboxed remote cloning v5.1.0 2026-04-07 17:08:32 +02:00
git-clone.mjs feat(llm-security): sandboxed remote cloning v5.1.0 2026-04-07 17:08:32 +02:00
ide-extension-data.mjs feat(llm-security): seed top-jetbrains-plugins.json + loadJetBrainsBlocklist export 2026-04-18 09:56:55 +02:00
ide-extension-discovery.mjs feat(llm-security): honor LLM_SECURITY_IDE_ROOTS for JetBrains discovery 2026-04-18 11:09:02 +02:00
ide-extension-parser.mjs feat(llm-security): implement parseIntelliJPlugin with nested-jar extraction 2026-04-18 10:15:12 +02:00
injection-patterns.mjs feat(injection): E16 — homoglyph NFKC fold before every pattern match 2026-04-29 14:22:05 +02:00
jetbrains-fetch-worker.mjs feat(llm-security): URL-fetch support for JetBrains Marketplace (v6.6.0) 2026-04-18 10:46:13 +02:00
mcp-description-cache.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
output.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
policy-loader.mjs feat(llm-security): v7.0.0 commit 3 — policy-driven entropy thresholds 2026-04-19 22:02:52 +02:00
sarif-formatter.mjs feat(scanner): add SARIF 2.1.0 output format to scan-orchestrator (--format sarif) 2026-04-10 13:22:59 +02:00
severity.mjs docs(severity): B3 — document info as scoring-inert (v7.2.0 prep) 2026-04-29 13:56:11 +02:00
skill-registry.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
string-utils.mjs fix(injection): E16 ASCII fast-path + UNI-003 expectation update (v7.2.0) 2026-04-29 14:44:41 +02:00
supply-chain-data.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
vsix-fetch-worker.mjs feat(llm-security): OS sandbox for /security ide-scan <url> (v6.5.0) 2026-04-17 17:28:57 +02:00
vsix-fetch.mjs feat(llm-security): add fetchJetBrainsPlugin + URL detection for plugins.jetbrains.com 2026-04-18 10:39:54 +02:00
vsix-sandbox.mjs refactor(llm-security): parameterize buildSandboxedWorker with workerPath 2026-04-18 10:37:10 +02:00
yaml-frontmatter.mjs feat: initial open marketplace with llm-security, config-audit, ultraplan-local 2026-04-06 18:47:49 +02:00
zip-extract.mjs feat(llm-security): /security ide-scan <url> — Marketplace/OpenVSX/direct VSIX (v6.4.0) 2026-04-17 17:16:26 +02:00