llm-security/STATE.md
2026-06-20 10:19:20 +02:00

2.8 KiB
Raw Blame History

STATE — llm-security

Active focus: Security-fix track (from docs/security-fix-brief-2026-06-20.md). Critical review DONE — brief verified sound. Implementing must-fixes over MULTIPLE sessions (context-limited). Session A (F-1 + F-5/F-6) DONE + pushed. Next = Session B (F-2 + F-3). TRG/SIG/AST (TRG/SIG/AST) shipped Steps 17; v7.8.0 release (Step 8) stays DEFERRED behind these fixes.

Critical-review verdict (DONE — do NOT re-derive)

  • F-1 / F-2 / F-3 = MUST FIX. Verified real, correctly diagnosed, fixes are local + mechanical.
  • F-5 / F-6 = cheap cleanup. DONE — --json + .orphaned_at removed in Session A.
  • F-4 = optional (LOW, by-design MCP spawn; a confirm-gate is a judgment call).
  • One gap to add: F-2's prefix containment does NOT stop a symlink-escape — note it, but the prefix check is the must-do part.

Multi-session plan (TDD each: repro → red → green; full node --test green; gitleaks clean)

  • Session A — F-1 (CRITICAL) + cleanup. DONE (commit 5f50899, pushed). git() in scanners/git-forensics.mjs now spawnSync('git', [...tokens], {cwd}) (no shell); ALL ~25 call sites pass discrete arrays. Repro tests/scanners/git-injection.test.mjs (hostile $(...) filename) RED→GREEN. F-5/F-6 git rm folded in. Suite 1860/0.
  • Session B — F-2 + F-3 (both HIGH). ← NEXT
    • F-2 scanners/auto-cleaner.mjs (sink ~:776 resolve(targetPath, f.file), write ~:878-881): before write assert absPath === targetPath || absPath.startsWith(targetPath + sep); else skip + report. Test: a finding file: "../escape.txt" is refused, not written.
    • F-3 scanners/lib/supply-chain-data.mjs:221-227 (execSafe = execSync) reached via hooks/scripts/pre-install-supply-chain.mjs:254inspectNpmPackage: switch to spawnSync('npm',['view',spec,'--json']) OR validate spec ^[@/A-Za-z0-9._-]+$ first. Test: spec foo;touch X must not execute touch.
  • Session C — release. Then Step 8 (v7.8.0) per docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md. Optionally F-4 confirm-gate.

COLD START (next session = Session B)

  1. pwd + git status (expect clean). Read docs/security-fix-brief-2026-06-20.md (F-2/F-3) + this STATE.
  2. Start Session B TDD — F-2 first (failing repro: a ../escape.txt finding must be refused), then F-3.
  3. Mirror the Session-A pattern: array-arg spawnSync (style ref scanners/lib/git-clone.mjs), repro-first, keep suite green, gitleaks clean, commit + push.

Continuity notes

  • Disclosure hold MOOT: review 738770e + brief fea943b already on origin/main (verified). No special bundling — push fixes normally.
  • origin = Forgejo open/llm-security (never GitHub). Push window: weekdays 20:0023:00; weekends/ holidays anytime. Suite now 1860/0 (was 1859; +1 F-1 regression test).