security: pass Haiku classifier prompt via stdin, not argv#1157
Open
garagon wants to merge 2 commits intogarrytan:mainfrom
Open
security: pass Haiku classifier prompt via stdin, not argv#1157garagon wants to merge 2 commits intogarrytan:mainfrom
garagon wants to merge 2 commits intogarrytan:mainfrom
Conversation
When both TestSavantAI and Haiku transcript classifiers fail to load, preSpawnSecurityCheck silently returns safe and the agent spawns with zero ML prompt injection defense. This adds a fail-closed gate that blocks agent spawn when all classifiers are inactive, with an explicit opt-out via GSTACK_SECURITY_ALLOW_INACTIVE=1.
Scanned content (user messages, tool outputs up to 8KB) was passed as a CLI argument to `claude -p <prompt>`, making it visible in `ps aux` and `/proc/<pid>/cmdline` for up to 15 seconds per classification. On shared Linux hosts (default hidepid=0) any local user could read it. Fix: pipe the prompt through stdin (`claude -p` reads from stdin when no argument follows) and scope the child env to PATH + HOME + ANTHROPIC_API_KEY only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Haiku transcript classifier passes scanned content (user messages + tool outputs, up to 8KB) as a CLI argument to
claude -p <prompt>. This makes the full prompt visible viaps auxor/proc/<pid>/cmdlinefor up to 15 seconds per classification call.On shared Linux hosts (default
hidepid=0), any local user can read the scanned content — which may include page text, tool outputs, and potentially tokens or credentials visible on the page when the classifier fires.On macOS 10.15+ the exposure is lower (Full Disk Access required to read other users' processes), but still present for same-user monitoring.
What this PR does
Two changes in
checkTranscript()(security-classifier.ts):Prompt via stdin:
claude -p(no argument) reads from stdin. The prompt is written top.stdinand the pipe closed, keeping it off the process argument list entirely.Scoped child env: the spawned process now inherits only
PATH,HOME, andANTHROPIC_API_KEYinstead of the full parentprocess.env. This prevents leaking unrelated secrets (other API keys, tokens) into the child's environment.Before / After
Test plan
bun test browse/test/security-classifier.test.ts— 16/16 passbun test— full free suite passesps aux | grep claudeshows no prompt content