fix(llm-security): hook coverage — pathguard on Edit, trifecta window, pipe-to-shell, provider keys (#9,#10,#12,#13,#11-doc)
#9 pathguard registered matcher Write only, so an Edit/MultiEdit to an existing protected file (settings.json, .env, .ssh, the hooks themselves) bypassed it entirely; matcher now Edit|Write (the script already reads only tool_input.file_path). #10 the primary trifecta detector's 20-entry window counted marker lines, so accumulated markers scrolled a real leg out (false negative); the window now counts tool-call entries. #13 pre-edit-secrets caught bare provider keys only inside a quoted label assignment; added anchored patterns for Anthropic sk-ant, OpenAI sk-proj, fine-grained github_pat_, Google AIza, and JWT eyJ (minimum-length guarded against prose false positives). #12 the remote-pipe-to-shell block required a shell immediately after the first pipe, so xargs/sudo/tee/env interposition evaded it and the comment falsely claimed xargs was caught; broadened to reach a shell through intermediate segments while leaving shell-OR fallbacks unblocked. #11 (doc only): knowledge/owasp-skills-top10.md claimed pre-bash-destructive blocks persistence commands — it does not; corrected to mark persistence detection as unimplemented/future (the detector itself is deferred to v8). Suite 2004/0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
This commit is contained in:
parent
21c6c2b534
commit
8a59d616fb
9 changed files with 337 additions and 6 deletions
|
|
@ -154,8 +154,10 @@ Claude Code hook abuse (instructions to modify `hooks.json` or `~/.claude/settin
|
|||
`.git/hooks/` modification; `RunAtLoad`, `StartInterval`, `KeepAlive` (plist); framing as
|
||||
"always-on", "background", "persistent".
|
||||
|
||||
**Mitigations:** No legitimate skill requires cron or LaunchAgent. `pre-bash-destructive.mjs` blocks
|
||||
persistence commands. `pre-write-pathguard.mjs` blocks plugin/hook path writes.
|
||||
**Mitigations:** No legitimate skill requires cron or LaunchAgent. Runtime persistence-command
|
||||
detection (`crontab`, `launchctl`, rc-file modification) is NOT implemented in
|
||||
`pre-bash-destructive.mjs` — it is planned future work; until then, review skill bodies manually
|
||||
against the detection signals above. `pre-write-pathguard.mjs` blocks plugin/hook path writes.
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue