llm-security/scanners/lib
Kjell Tore Guttormsen a035455979 fix(llm-security): out-of-range char-ref silently emptied a plugin.xml field
decodeEntities guarded parseInt with Number.isFinite, which bounds
nothing: any numeric character reference above 0x10FFFF produced a
finite integer that String.fromCodePoint rejects with RangeError.

Correction to the review's framing: this does NOT break parsePluginXml's
no-throw contract. The per-field safe() wrapper catches it. The actual
defect is quieter — the affected field is discarded and replaced with
'', with only a warning. A plugin whose <name> carries one out-of-range
reference parses as name: "" while pluginId and every other field
survive, so name-based checks (JetBrains typosquat detection against the
top-plugin list) run against an empty string.

Severity is below the HIGH it was filed as: a document containing a code
point above 0x10FFFF is not well-formed XML, so IntelliJ would reject
such a plugin too — the evasion yields a plugin that does not load. The
fix is still correct and one line of logic.

- isDecodableCodePoint(): integer, >= 0, <= 0x10FFFF.
- Undecodable references are now left literal, matching how lenient
  parsers treat unrecognised entities and how this same function already
  treats unknown named entities.

Regression test drives parsePluginXml with hex and decimal references
just past and far past the maximum, asserts the no-throw contract still
holds, and pins that valid references, the maximum valid code point, and
named entities still decode.

npm test: 1901/1901 green (1890 + 11 new).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
2026-07-18 09:21:56 +02:00
..
audit-trail.mjs feat(policy-loader): 8.7 — env-var deprecation warnings (v8.0.0 removal) 2026-04-30 17:11:07 +02:00
bash-normalize.mjs feat(bash-normalize): T7 — process substitution collapse (E8) 2026-04-30 15:14:04 +02:00
bom-builder.mjs feat(scanner): add AI-BOM generator — CycloneDX 1.6 format for AI supply chain transparency 2026-04-10 13:29:30 +02:00
diff-engine.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
distribution-stats.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
file-discovery.mjs feat(llm-security)!: v7.0.0 commit 6 — tests, docs, version bump 2026-04-19 22:26:35 +02:00
fs-utils.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
git-clone.mjs feat(git-clone): E12 — .gitattributes filter-driver post-clone advisory 2026-04-30 15:29:13 +02:00
ide-extension-data.mjs feat(llm-security): seed top-jetbrains-plugins.json + loadJetBrainsBlocklist export 2026-04-18 09:56:55 +02:00
ide-extension-discovery.mjs feat(llm-security): honor LLM_SECURITY_IDE_ROOTS for JetBrains discovery 2026-04-18 11:09:02 +02:00
ide-extension-parser.mjs fix(llm-security): out-of-range char-ref silently emptied a plugin.xml field 2026-07-18 09:21:56 +02:00
injection-patterns.mjs feat(injection): E3 — rot13 layer for comment-block injection 2026-04-30 15:21:03 +02:00
jetbrains-fetch-worker.mjs feat(llm-security): URL-fetch support for JetBrains Marketplace (v6.6.0) 2026-04-18 10:46:13 +02:00
mcp-description-cache.mjs feat(mcp-description-cache): E14 part 1 — baseline + history schema (cumulative drift) [skip-docs] 2026-04-30 16:37:33 +02:00
output.mjs docs(llm-security): document TRG/SIG/AST scanners and package knowledge/ 2026-06-20 09:46:14 +02:00
policy-loader.mjs feat(llm-security): wire AST scanner into orchestrator and policy 2026-06-20 09:41:32 +02:00
py-ast-taint.py feat(llm-security): add AST Python-taint scanner with python3 fallback 2026-06-20 09:38:36 +02:00
sarif-formatter.mjs feat(scanner): add SARIF 2.1.0 output format to scan-orchestrator (--format sarif) 2026-04-10 13:22:59 +02:00
severity.mjs feat(llm-security): wire AST scanner into orchestrator and policy 2026-06-20 09:41:32 +02:00
skill-registry.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
string-utils.mjs feat(injection): E3 — rot13 layer for comment-block injection 2026-04-30 15:21:03 +02:00
supply-chain-data.mjs feat(pre-install-supply-chain): E13 — npm scope-hopping MEDIUM advisory with allowlist 2026-04-30 15:38:28 +02:00
vsix-fetch-worker.mjs feat(llm-security): OS sandbox for /security ide-scan <url> (v6.5.0) 2026-04-17 17:28:57 +02:00
vsix-fetch.mjs feat(llm-security): add fetchJetBrainsPlugin + URL detection for plugins.jetbrains.com 2026-04-18 10:39:54 +02:00
vsix-sandbox.mjs refactor(llm-security): parameterize buildSandboxedWorker with workerPath 2026-04-18 10:37:10 +02:00
workflow-yaml-state.mjs feat(workflow-scanner): E11 part 2 — re-interpolation + auth-bypass + WFL prefix + orchestrator 2026-04-30 15:57:10 +02:00
yaml-frontmatter.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
zip-extract.mjs feat(llm-security): /security ide-scan <url> — Marketplace/OpenVSX/direct VSIX (v6.4.0) 2026-04-17 17:16:26 +02:00