llm-security/scanners
Kjell Tore Guttormsen a035455979 fix(llm-security): out-of-range char-ref silently emptied a plugin.xml field
decodeEntities guarded parseInt with Number.isFinite, which bounds
nothing: any numeric character reference above 0x10FFFF produced a
finite integer that String.fromCodePoint rejects with RangeError.

Correction to the review's framing: this does NOT break parsePluginXml's
no-throw contract. The per-field safe() wrapper catches it. The actual
defect is quieter — the affected field is discarded and replaced with
'', with only a warning. A plugin whose <name> carries one out-of-range
reference parses as name: "" while pluginId and every other field
survive, so name-based checks (JetBrains typosquat detection against the
top-plugin list) run against an empty string.

Severity is below the HIGH it was filed as: a document containing a code
point above 0x10FFFF is not well-formed XML, so IntelliJ would reject
such a plugin too — the evasion yields a plugin that does not load. The
fix is still correct and one line of logic.

- isDecodableCodePoint(): integer, >= 0, <= 0x10FFFF.
- Undecodable references are now left literal, matching how lenient
  parsers treat unrecognised entities and how this same function already
  treats unknown named entities.

Regression test drives parsePluginXml with hex and decimal references
just past and far past the maximum, asserts the no-throw contract still
holds, and pins that valid references, the maximum valid code point, and
named entities still decode.

npm test: 1901/1901 green (1890 + 11 new).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
2026-07-18 09:21:56 +02:00
..
lib fix(llm-security): out-of-range char-ref silently emptied a plugin.xml field 2026-07-18 09:21:56 +02:00
ai-bom-generator.mjs feat(scanner): add AI-BOM generator — CycloneDX 1.6 format for AI supply chain transparency 2026-04-10 13:29:30 +02:00
ast-taint-scanner.mjs feat(llm-security): add AST Python-taint scanner with python3 fallback 2026-06-20 09:38:36 +02:00
attack-simulator.mjs feat(red-team): 8 new evasion-arsenal scenarios for v7.2.0 (E1/E4/E5/E7/E16/E17) 2026-04-29 15:35:32 +02:00
auto-cleaner.mjs fix(llm-security): CRITICAL — command injection in auto-cleaner (v7.8.1) 2026-07-18 08:48:09 +02:00
content-extractor.mjs fix(llm-security): HIGH — obfuscated injections were reported but not stripped 2026-07-18 09:18:56 +02:00
dashboard-aggregator.mjs feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 2026-05-05 22:15:47 +02:00
dep-auditor.mjs fix(dep): B7 — token-overlap typosquat heuristic alongside Levenshtein 2026-04-29 14:10:53 +02:00
entropy-scanner.mjs fix(llm-security): HIGH — entropy suppression keyed off the absolute path 2026-07-18 09:11:04 +02:00
git-forensics.mjs fix(llm-security): F-1 — eliminate shell-injection RCE in git-forensics scanner 2026-06-20 10:18:41 +02:00
ide-extension-scanner.mjs fix(llm-security): HIGH — one unparseable JetBrains plugin crashed ide-scan 2026-07-18 09:14:12 +02:00
mcp-baseline-reset.mjs feat(commands): E14 part 3 — /security mcp-baseline-reset slash command 2026-04-30 16:49:01 +02:00
mcp-live-inspect.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
memory-poisoning-scanner.mjs fix(memory-poisoning): E15 — add .claude/agents/*.md to target glob 2026-04-29 14:13:01 +02:00
network-mapper.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
permission-mapper.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
posture-scanner.mjs feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 2026-05-05 22:15:47 +02:00
reference-config-generator.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
scan-orchestrator.mjs docs(llm-security): document TRG/SIG/AST scanners and package knowledge/ 2026-06-20 09:46:14 +02:00
signature-scanner.mjs feat(llm-security): add SIG signature scanner with decode-pipeline matching 2026-06-20 09:28:52 +02:00
supply-chain-recheck-cli.mjs fix(scanners): use process.exitCode instead of process.exit() after stdout.write 2026-04-10 14:11:31 +02:00
supply-chain-recheck.mjs fix(dep): B7 — token-overlap typosquat heuristic alongside Levenshtein 2026-04-29 14:10:53 +02:00
taint-tracer.mjs fix(taint-tracer): B6 — recognize destructuring + spread + rest patterns 2026-04-29 14:05:34 +02:00
toxic-flow-analyzer.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
trigger-scanner.mjs feat(llm-security): add TRG trigger-abuse scanner 2026-06-20 09:19:54 +02:00
unicode-scanner.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
watch-cron.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
workflow-scanner.mjs feat(workflow-scanner): E11 part 2 — re-interpolation + auth-bypass + WFL prefix + orchestrator 2026-04-30 15:57:10 +02:00