llm-security/STATE.md
2026-07-18 09:02:02 +02:00

4.6 KiB
Raw Blame History

STATE — llm-security

👉 NESTE — START HER (fresh session, Opus 4.8 xhigh) — v7.8.2: the ~6 HIGH: v7.8.1 SHIPPED — the CRITICAL auto-cleaner RCE is fixed, released, tagged, catalog-synced and pushed. Next up is the HIGH tier from the same review. Iron Law per defect (regression test FIRST), one commit per defect, then ship v7.8.2. All six are in the 59-finding review output (harvest source below). Order them yourself; suggested by blast radius:

  1. rm -rf / + rm -rf ~ bypass the root-block — hooks/pre-bash-destructive.mjs:24.
  2. Entropy scanner suppresses ALL findings when the ABSOLUTE path contains test/spec/fix — scanners/entropy-scanner.mjs:308 (a repo cloned to /tmp/fix-me/ silently reports nothing).
  3. Unparseable JetBrains plugin crashes the whole ide-scan + null-manifest deref — scanners/ide-extension-scanner.mjs:684 (likely 1 root cause / 2 findings).
  4. Obfuscated injections are reported but NOT stripped from the LLM evidence package — scanners/content-extractor.mjs:119 (defeats the remote-scan injection defense).
  5. Out-of-range numeric char-ref raises RangeError, breaking the no-throw contract — scanners/ide-extension-parser.mjs:147. Then the MEDIUM sweep (52 more) — likely its own release, not v7.8.2.

Review output (harvest source): confirmed array + per-finding adversarial reasoning in task w8s4rsaw8 output: …/dfcab047-5467-4484-ab1a-5d6526439f78/tasks/w8s4rsaw8.output (result.confirmed, 59 items). Durable journal (one result-line/agent): ~/.claude/projects/-Users-…-llm-security/ f99dcf73-d344-4377-b8ba-09fe878f32a2/subagents/workflows/wf_99daed37-f8b/journal.jsonl.

PARKED — v8 family strategy (behind an operator visibility decision, DO NOT PUSH)

4 of 6 deliverables written, LOCAL ONLY: docs/JOBS-TO-BE-DONE.md, docs/FAMILY-MAP.md, docs/commons-extraction-plan.md, docs/roadmap.md [gitignored]. Remaining v8 docs (do NOT start until visibility is decided): formal docs/completion-review-2026-07-17.md (findings table + severity.mjs framework-coverage map + citations; roadmap B8/P3 reference it) and V8-ANNOUNCEMENT.md. ⚠️ DO NOT PUSH the 3 untracked docs: origin open/llm-security.git is a PUBLIC mirror; docs describe cross-repo strategy + a sibling (claude-code-llm-wiki, "Private pending Anthropic ToS"). Do NOT git add them without a visibility call (accept-public / keep-local .local.md / private family home). NOTE: docs/FAMILY-MAP.md:42 still says v7.8.0/1863 tests — stale, fix when the parking ends.

Ground truth (verified 2026-07-18)

  • npm test = 1865/0 green at tip. Run tests with npm testnode --test tests/ is NOT a valid invocation (it fails as a harness error, not a regression); the script is node --test 'tests/**/*.test.mjs'.
  • v7.8.1 released: tag v7.8.1 pushed, catalog ref bumped, check-versions.mjs = 0 ERROR (the one WARN is okr, pre-existing and unrelated).
  • CRITICAL RCE: reproduced live before the fix (canary via $CLEANER_RCE_CANARY env expansion, proving a shell parsed the filename), gone after. Both sinks in scanners/auto-cleaner.mjs are now spawnSync argv-arrays; execSync is no longer imported there.
  • Regression coverage is deliberately TWO tests (tests/scanners/auto-cleaner-rce.test.mjs): the belt in applyFixes (metachar refusal) stops hostile input BEFORE the sink, so a single applyFixes-level test would pass without proving the shell was gone. validateContent is exported for that reason — do not "tidy" that export away.
  • Prior security: F-1/2/3/5/6 fixed; F-4 open (optional/LOW); B1/B2/E14 fixed.
  • Stray undefined/ (scan artifact, 2026-07-17): removed.

Position taken (strategic anchor)

llm-security consolidates; growth at family level (security-commons + llm-retrieval-guard sibling for the LLM08 write→retrieval seam). JS/TS AST-taint parity + post-clone CLAUDE.md-poisoning stay here; research artifact-scanners (model/pickle, .ipynb, insecure-ML) relocate to commons/guard. v8.0.0 = deprecation cleanup (LLM_SECURITY_* env-vars + riskScoreV1) + behaviour-preserving commons extraction + verified fixes + docs consistency.

Continuity

origin = Forgejo open/llm-security (PUBLIC, never GitHub). Push window: weekdays 20:0023:00; weekends/holidays anytime. STATE.md is intentionally TRACKED + committed (.gitignore:19-20 NOTE). Disclosure convention (set this session): a security fix to public code is committed but HELD until its release tag exists, so the exploit description in the commit/notes never lands before the fixed version users can upgrade to. Fix, bump, tag, catalog, push — one sequence.