llm-security/tests/hooks
Kjell Tore Guttormsen a92b3c5962 fix(llm-security): HIGH — bare root/home targets bypassed the rm block
The BLOCK rule named "Filesystem root destruction" did not block the bare
root target it is named for. The target alternation ended in a shared `\b`,
and a word boundary cannot hold after `/` or `~` at end-of-command.
Measured against the shipped pattern:

  bare `/` target        NOT blocked      `$HOME` target   blocked
  bare `~` target        NOT blocked      `/usr` target    blocked
  `/*` glob target       NOT blocked
  swapped flags (-fr)    NOT blocked
  sudo-prefixed          NOT blocked

Only targets whose first character is a word character ever satisfied the
assertion, so the rule caught `/etc` but not bare root. These fell through
to WARN (exit 0) — advisory only, command executed.

- Pattern: `\b` moved onto the `$HOME` alternative alone, where it is
  meaningful (it ends in a word char, so `$HOMEDIR` is still not
  swallowed). Dropped from `/` and `~`. Nothing else changes: `/etc`,
  `/home`, `./build` behave exactly as before.
- The old test file encoded this defect as expected behaviour, with a NOTE
  claiming the pattern "requires separate flag groups (e.g. -f -r, not -rf
  combined)". That diagnosis was wrong — the `/etc` case blocks fine with
  merged flags. Comment replaced with the real root cause.

npm test: 1872/1872 green (1865 + 7 new).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
2026-07-18 09:08:12 +02:00
..
hook-helper.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
post-mcp-verify.test.mjs feat(post-mcp-verify): E14 part 2 — cumulative-drift MEDIUM advisory [skip-docs] 2026-04-30 16:40:52 +02:00
post-session-guard.test.mjs feat(post-session-guard): E17 — configurable escalation window + 20-call MEDIUM advisory 2026-04-29 14:26:18 +02:00
pre-bash-destructive.test.mjs fix(llm-security): HIGH — bare root/home targets bypassed the rm block 2026-07-18 09:08:12 +02:00
pre-compact-scan.test.mjs chore(llm-security): v7.3.1 — stabilization patch for forkers and downstream users 2026-05-01 06:14:03 +02:00
pre-edit-secrets.test.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
pre-install-supply-chain.test.mjs feat(pre-install-supply-chain): E13 — npm scope-hopping MEDIUM advisory with allowlist 2026-04-30 15:38:28 +02:00
pre-prompt-inject-scan.test.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
pre-write-pathguard.test.mjs fix(llm-security): B1 pathguard regex — match multi-segment .env.*.* 2026-04-19 23:59:38 +02:00
probe-rm.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
probe-secrets.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
supply-chain-injection.test.mjs fix(llm-security): F-2/F-3 — contain path traversal + kill npm-view shell injection 2026-06-20 11:09:13 +02:00
update-check.test.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00