open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/hooks/scripts/pre-write-pathguard.mjs
Kjell Tore Guttormsen 751f1199c8 fix(llm-security): B1 pathguard regex — match multi-segment .env.*.* 
The previous ENV regex `/[\\/]\.env\.[a-z]+$/` only matched a single
lowercase segment after `.env`. Multi-segment and mixed-case variants
such as `.env.production.local.backup`, `.env.stage-1.local`, and
`.env.CI.secret` slipped past the hook. Replaced with
`/[\\/]\.env(\.[A-Za-z0-9._-]+)*$/` which matches `.env` plus any
number of dot-separated alphanumeric/dot/hyphen/underscore segments.
`.envrc` (direnv config, no dot separator) is still allowed.

Addresses critical review 2026-04-20 §2 B1 (HIGH).

Tests: 7 added (6 new multi-segment BLOCK cases + 1 .envrc ALLOW).
All 1494 tests pass.
2026-04-19 23:59:38 +02:00

196 lines
5.4 KiB
JavaScript
Raw Blame History

#!/usr/bin/env node
// Hook: pre-write-pathguard.mjs
// Event: PreToolUse (Write)
// Purpose: Block writes to sensitive paths (.env, .ssh/, .aws/, credentials, etc.)
//
// Protocol:
// - Read JSON from stdin: { tool_name, tool_input }
// - tool_input.file_path — destination path
// - Block: stderr + exit 2
// - Allow: exit 0
import { readFileSync } from 'node:fs';
import { basename, normalize, resolve } from 'node:path';
import { getPolicyValue } from '../../scanners/lib/policy-loader.mjs';
// ---------------------------------------------------------------------------
// Sensitive path patterns — 8 categories
// ---------------------------------------------------------------------------
/** Category 1: Environment files
* Matches `.env` and any multi-segment suffix after it, e.g.
* `.env.local`, `.env.production.local.backup`, `.env.stage-1.local`,
* `.env.CI.secret`. Does NOT match `.envrc` (direnv) — no dot separator.
* v7.1.0 B1 fix: previous regex `/[\\/]\.env\.[a-z]+$/` only matched a
* single lowercase segment after `.env`.
*/
const ENV_PATTERNS = [
/[\\/]\.env(\.[A-Za-z0-9._-]+)*$/,
];
/** Category 2: SSH directory */
const SSH_PATTERNS = [
/[\\/]\.ssh[\\/]/,
];
/** Category 3: AWS credentials */
const AWS_PATTERNS = [
/[\\/]\.aws[\\/]/,
];
/** Category 4: GPG directory */
const GPG_PATTERNS = [
/[\\/]\.gnupg[\\/]/,
];
/** Category 5: Credential files */
const CREDENTIAL_FILES = [
'.npmrc',
'.pypirc',
'.netrc',
'.docker/config.json',
'credentials.json',
'service-account.json',
'keyfile.json',
];
/** Category 6: Hook scripts (prevent hook tampering) */
const HOOK_PATTERNS = [
/[\\/]\.claude[\\/].*hooks.*\.json$/,
/[\\/]hooks[\\/]scripts[\\/].*\.mjs$/,
];
/** Category 7: System directories */
const SYSTEM_PATTERNS = [
/^\/etc[\\/]/,
/^\/usr[\\/]/,
/^\/var[\\/]/,
];
/** Category 8: Settings files */
const SETTINGS_FILES = [
'settings.json',
'settings.local.json',
];
/** Category 9: Policy-defined additional protected paths */
const POLICY_PATTERNS = getPolicyValue('pathguard', 'additional_protected', []).map(p => new RegExp(p));
// ---------------------------------------------------------------------------
// Path classification
// ---------------------------------------------------------------------------
/**
* Check if a file path targets a sensitive location.
* @param {string} filePath - The path to check
* @returns {{ blocked: boolean, category: string, reason: string }}
*/
function classifyPath(filePath) {
if (!filePath) return { blocked: false, category: '', reason: '' };
const norm = normalize(resolve(filePath));
const base = basename(norm);
// Category 1: Environment files
for (const pat of ENV_PATTERNS) {
if (pat.test(norm)) {
return { blocked: true, category: 'env', reason: `Environment file: ${base}` };
}
}
// Category 2: SSH
for (const pat of SSH_PATTERNS) {
if (pat.test(norm)) {
return { blocked: true, category: 'ssh', reason: `SSH directory: ${norm}` };
}
}
// Category 3: AWS
for (const pat of AWS_PATTERNS) {
if (pat.test(norm)) {
return { blocked: true, category: 'aws', reason: `AWS credentials directory: ${norm}` };
}
}
// Category 4: GPG
for (const pat of GPG_PATTERNS) {
if (pat.test(norm)) {
return { blocked: true, category: 'gnupg', reason: `GPG directory: ${norm}` };
}
}
// Category 5: Credential files
for (const name of CREDENTIAL_FILES) {
if (norm.endsWith(name) || base === name) {
return { blocked: true, category: 'credentials', reason: `Credential file: ${base}` };
}
}
// Category 6: Hook scripts
for (const pat of HOOK_PATTERNS) {
if (pat.test(norm)) {
return { blocked: true, category: 'hooks', reason: `Hook configuration: ${base}` };
}
}
// Category 7: System directories
for (const pat of SYSTEM_PATTERNS) {
if (pat.test(norm)) {
return { blocked: true, category: 'system', reason: `System directory: ${norm}` };
}
}
// Category 8: Settings files
for (const name of SETTINGS_FILES) {
if (base === name) {
// Only block settings.json in .claude/ directories
if (/[\\/]\.claude[\\/]/.test(norm) || /[\\/]\.vscode[\\/]/.test(norm)) {
return { blocked: true, category: 'settings', reason: `Settings file: ${norm}` };
}
}
}
// Category 9: Policy-defined additional protected paths
for (const pat of POLICY_PATTERNS) {
if (pat.test(norm)) {
return { blocked: true, category: 'policy', reason: `Policy-protected path: ${norm}` };
}
}
return { blocked: false, category: '', reason: '' };
}
// ---------------------------------------------------------------------------
// Main
// ---------------------------------------------------------------------------
let input;
try {
const raw = readFileSync(0, 'utf-8');
input = JSON.parse(raw);
} catch {
process.exit(0);
}
const toolInput = input?.tool_input ?? {};
const filePath = toolInput.file_path ?? '';
if (!filePath) {
process.exit(0);
}
const result = classifyPath(filePath);
if (result.blocked) {
process.stderr.write(
`\n[llm-security] PATH GUARD: Write blocked\n` +
` Category: ${result.category}\n` +
` Reason: ${result.reason}\n` +
` Path: ${filePath}\n\n` +
`This path is protected. If this write is intentional, ` +
`ask the user to perform it manually.\n`
);
process.exit(2);
}
process.exit(0);
Reference in a new issue View git blame Copy permalink