llm-security/scanners
Kjell Tore Guttormsen e46b5a3256 fix(llm-security): F-1 — eliminate shell-injection RCE in git-forensics scanner
git-forensics ran execSync(`git ${cmd}`), interpolating attacker-controlled
filenames from the SCANNED repo (git ls-files / git log --name-only) into a
shell string. A hostile repo containing a file named `commands/$(touch X).md`
achieved zero-interaction RCE on `/security scan <url>`: gitScan is in the
default scanner array and runs OUTSIDE the git-clone OS sandbox (which wraps
only the clone), so it executed unsandboxed on all platforms.

Convert the git() helper to spawnSync('git', [...args]) with no shell; every
call site now passes discrete tokens (shell quoting removed — git does its own
pathspec globbing). The helper throws on non-zero exit, preserving existing
per-category/per-file try/catch semantics.

TDD: adds a failing-first regression (tests/scanners/git-injection.test.mjs)
that builds a hostile-filename fixture repo and asserts the injected command
never runs. RED against execSync, GREEN after the fix.

Also removes two stray committed root artifacts (F-5/F-6): `--json`
(0-byte redirect husk) and .orphaned_at.

Closing gates: full node --test suite 1860/0; gitleaks clean. F-2/F-3 follow
in Session B.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 10:18:41 +02:00
..
lib docs(llm-security): document TRG/SIG/AST scanners and package knowledge/ 2026-06-20 09:46:14 +02:00
ai-bom-generator.mjs feat(scanner): add AI-BOM generator — CycloneDX 1.6 format for AI supply chain transparency 2026-04-10 13:29:30 +02:00
ast-taint-scanner.mjs feat(llm-security): add AST Python-taint scanner with python3 fallback 2026-06-20 09:38:36 +02:00
attack-simulator.mjs feat(red-team): 8 new evasion-arsenal scenarios for v7.2.0 (E1/E4/E5/E7/E16/E17) 2026-04-29 15:35:32 +02:00
auto-cleaner.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
content-extractor.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
dashboard-aggregator.mjs feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 2026-05-05 22:15:47 +02:00
dep-auditor.mjs fix(dep): B7 — token-overlap typosquat heuristic alongside Levenshtein 2026-04-29 14:10:53 +02:00
entropy-scanner.mjs fix(entropy): E18 — rule 18 markdown-image CDN-aware + secret pre-check 2026-04-29 15:18:37 +02:00
git-forensics.mjs fix(llm-security): F-1 — eliminate shell-injection RCE in git-forensics scanner 2026-06-20 10:18:41 +02:00
ide-extension-scanner.mjs feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 2026-05-05 22:15:47 +02:00
mcp-baseline-reset.mjs feat(commands): E14 part 3 — /security mcp-baseline-reset slash command 2026-04-30 16:49:01 +02:00
mcp-live-inspect.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
memory-poisoning-scanner.mjs fix(memory-poisoning): E15 — add .claude/agents/*.md to target glob 2026-04-29 14:13:01 +02:00
network-mapper.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
permission-mapper.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
posture-scanner.mjs feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 2026-05-05 22:15:47 +02:00
reference-config-generator.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
scan-orchestrator.mjs docs(llm-security): document TRG/SIG/AST scanners and package knowledge/ 2026-06-20 09:46:14 +02:00
signature-scanner.mjs feat(llm-security): add SIG signature scanner with decode-pipeline matching 2026-06-20 09:28:52 +02:00
supply-chain-recheck-cli.mjs fix(scanners): use process.exitCode instead of process.exit() after stdout.write 2026-04-10 14:11:31 +02:00
supply-chain-recheck.mjs fix(dep): B7 — token-overlap typosquat heuristic alongside Levenshtein 2026-04-29 14:10:53 +02:00
taint-tracer.mjs fix(taint-tracer): B6 — recognize destructuring + spread + rest patterns 2026-04-29 14:05:34 +02:00
toxic-flow-analyzer.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
trigger-scanner.mjs feat(llm-security): add TRG trigger-abuse scanner 2026-06-20 09:19:54 +02:00
unicode-scanner.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
watch-cron.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
workflow-scanner.mjs feat(workflow-scanner): E11 part 2 — re-interpolation + auth-bypass + WFL prefix + orchestrator 2026-04-30 15:57:10 +02:00