Merge pull request #31 from kenryu42/fix/tmpdir-traversal-bypass

Fix: tmpdir traversal bypass

Author: kenryu42

.github/workflows/ci.yml

@@ -5,22 +5,42 @@ on:
   push:
     branches: [main]
     paths:
+      - ".github/workflows/**"
       - "src/**"
       - "scripts/**"
       - "tests/**"
+      - "assets/**"
+      - "package.json"
+      - "bun.lock"
+      - "tsconfig.json"
+      - "tsconfig.build.json"
+      - "biome.json"
+      - "knip.ts"
+      - "sgconfig.yml"
+      - "ast-grep/**"
   pull_request:
     branches: [main]
     paths:
+      - ".github/workflows/**"
       - "src/**"
       - "scripts/**"
       - "tests/**"
+      - "assets/**"
+      - "package.json"
+      - "bun.lock"
+      - "tsconfig.json"
+      - "tsconfig.build.json"
+      - "biome.json"
+      - "knip.ts"
+      - "sgconfig.yml"
+      - "ast-grep/**"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  quality:
+  full-check:
     runs-on: ubuntu-latest
 
     steps:
@@ -31,39 +51,12 @@ jobs:
           bun-version: latest
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
         env:
           BUN_INSTALL_ALLOW_SCRIPTS: "@ast-grep/cli"
 
-      - name: Run linter
-        run: bun run lint
-
-      - name: Run type checker
-        run: bun run typecheck
-
-      - name: Run dead code detection
-        run: bun run knip
-
-      - name: Run ast-grep scan
-        run: bun run sg:scan
-
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Install dependencies
-        run: bun install
-        env:
-          BUN_INSTALL_ALLOW_SCRIPTS: "@ast-grep/cli"
-
-      - name: Run tests with coverage
-        run: AGENT=1 bun test --coverage --coverage-reporter=lcov
+      - name: Run full checks
+        run: bun run check:ci
 
       - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@v5
@@ -72,7 +65,7 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
-    needs: [quality, test]
+    needs: [full-check]
     permissions:
       contents: write
 
@@ -86,7 +79,7 @@ jobs:
           bun-version: latest
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
         env:
           BUN_INSTALL_ALLOW_SCRIPTS: "@ast-grep/cli"
 

.github/workflows/publish.yml

@@ -24,7 +24,7 @@ permissions:
   id-token: write
 
 jobs:
-  test:
+  full-check:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -34,33 +34,16 @@ jobs:
           bun-version: latest
 
       - name: Install dependencies
-        run: bun install
-        env:
-          BUN_INSTALL_ALLOW_SCRIPTS: "@ast-grep/cli"
-
-      - name: Run tests
-        run: AGENT=1 bun test --coverage
-
-  typecheck:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
-      - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
         env:
           BUN_INSTALL_ALLOW_SCRIPTS: "@ast-grep/cli"
 
-      - name: Type check
-        run: bun run typecheck
+      - name: Run full checks
+        run: bun run check:ci
 
   publish:
     runs-on: ubuntu-latest
-    needs: [test, typecheck]
+    needs: [full-check]
     if: github.repository == 'kenryu42/claude-code-safety-net'
     steps:
       - uses: actions/checkout@v4

dist/bin/cc-safety-net.js

@@ -1580,10 +1580,6 @@ function splitShellCommands(command) {
   let i = 0;
   while (i < tokens.length) {
     const token = tokens[i];
-    if (token === undefined) {
-      i++;
-      continue;
-    }
     if (isOperator(token)) {
       if (current.length > 0) {
         segments.push(current);
@@ -1714,9 +1710,6 @@ function parseEnvAssignment(token) {
     return null;
   }
   const eqIdx = token.indexOf("=");
-  if (eqIdx < 0) {
-    return null;
-  }
   return { name: token.slice(0, eqIdx), value: token.slice(eqIdx + 1) };
 }
 function stripEnvAssignmentsWithInfo(tokens) {
@@ -2736,6 +2729,7 @@ function parseParallelCommand(tokens) {
 
 // src/core/analyze/tmpdir.ts
 import { tmpdir as tmpdir2 } from "node:os";
+import { normalize as normalize2, sep as sep2 } from "node:path";
 function isTmpdirOverriddenToNonTemp(envAssignments) {
   if (!envAssignments.has("TMPDIR")) {
     return false;
@@ -2744,8 +2738,9 @@ function isTmpdirOverriddenToNonTemp(envAssignments) {
   if (tmpdirValue === "") {
     return true;
   }
-  const sysTmpdir = tmpdir2();
-  if (isPathOrSubpath(tmpdirValue, "/tmp") || isPathOrSubpath(tmpdirValue, "/var/tmp") || isPathOrSubpath(tmpdirValue, sysTmpdir)) {
+  const normalizedTmpdirValue = normalize2(tmpdirValue);
+  const sysTmpdir = normalize2(tmpdir2());
+  if (isPathOrSubpath(normalizedTmpdirValue, normalize2("/tmp")) || isPathOrSubpath(normalizedTmpdirValue, normalize2("/var/tmp")) || isPathOrSubpath(normalizedTmpdirValue, sysTmpdir)) {
     return false;
   }
   return true;
@@ -2754,7 +2749,7 @@ function isPathOrSubpath(path, basePath) {
   if (path === basePath) {
     return true;
   }
-  const baseWithSlash = basePath.endsWith("/") ? basePath : `${basePath}/`;
+  const baseWithSlash = basePath.endsWith(sep2) ? basePath : `${basePath}${sep2}`;
   return path.startsWith(baseWithSlash);
 }
 

dist/index.js

@@ -441,10 +441,6 @@ function splitShellCommands(command) {
   let i = 0;
   while (i < tokens.length) {
     const token = tokens[i];
-    if (token === undefined) {
-      i++;
-      continue;
-    }
     if (isOperator(token)) {
       if (current.length > 0) {
         segments.push(current);
@@ -575,9 +571,6 @@ function parseEnvAssignment(token) {
     return null;
   }
   const eqIdx = token.indexOf("=");
-  if (eqIdx < 0) {
-    return null;
-  }
   return { name: token.slice(0, eqIdx), value: token.slice(eqIdx + 1) };
 }
 function stripEnvAssignmentsWithInfo(tokens) {
@@ -1597,6 +1590,7 @@ function parseParallelCommand(tokens) {
 
 // src/core/analyze/tmpdir.ts
 import { tmpdir as tmpdir2 } from "node:os";
+import { normalize as normalize2, sep as sep2 } from "node:path";
 function isTmpdirOverriddenToNonTemp(envAssignments) {
   if (!envAssignments.has("TMPDIR")) {
     return false;
@@ -1605,8 +1599,9 @@ function isTmpdirOverriddenToNonTemp(envAssignments) {
   if (tmpdirValue === "") {
     return true;
   }
-  const sysTmpdir = tmpdir2();
-  if (isPathOrSubpath(tmpdirValue, "/tmp") || isPathOrSubpath(tmpdirValue, "/var/tmp") || isPathOrSubpath(tmpdirValue, sysTmpdir)) {
+  const normalizedTmpdirValue = normalize2(tmpdirValue);
+  const sysTmpdir = normalize2(tmpdir2());
+  if (isPathOrSubpath(normalizedTmpdirValue, normalize2("/tmp")) || isPathOrSubpath(normalizedTmpdirValue, normalize2("/var/tmp")) || isPathOrSubpath(normalizedTmpdirValue, sysTmpdir)) {
     return false;
   }
   return true;
@@ -1615,7 +1610,7 @@ function isPathOrSubpath(path, basePath) {
   if (path === basePath) {
     return true;
   }
-  const baseWithSlash = basePath.endsWith("/") ? basePath : `${basePath}/`;
+  const baseWithSlash = basePath.endsWith(sep2) ? basePath : `${basePath}${sep2}`;
   return path.startsWith(baseWithSlash);
 }
 

package.json

@@ -17,7 +17,9 @@
     "build:schema": "bun run scripts/build-schema.ts",
     "clean": "rm -rf dist",
     "check": "bun run lint && bun run typecheck && bun run knip && bun run sg:scan && AGENT=1 bun test --coverage",
+    "check:ci": "bun run lint:ci && bun run typecheck && bun run knip && bun run sg:scan && AGENT=1 bun test --coverage --coverage-reporter=lcov",
     "lint": "biome check --write",
+    "lint:ci": "biome ci .",
     "typecheck": "tsc --noEmit",
     "knip": "knip --production",
     "sg:scan": "ast-grep scan",

src/core/analyze/tmpdir.ts

@@ -1,4 +1,5 @@
 import { tmpdir } from 'node:os';
+import { normalize, sep } from 'node:path';
 
 export function isTmpdirOverriddenToNonTemp(envAssignments: Map<string, string>): boolean {
   if (!envAssignments.has('TMPDIR')) {
@@ -11,12 +12,14 @@ export function isTmpdirOverriddenToNonTemp(envAssignments: Map<string, string>)
     return true;
   }
 
+  const normalizedTmpdirValue = normalize(tmpdirValue);
+
   // Check if it's a known temp path (exact match or subpath)
-  const sysTmpdir = tmpdir();
+  const sysTmpdir = normalize(tmpdir());
   if (
-    isPathOrSubpath(tmpdirValue, '/tmp') ||
-    isPathOrSubpath(tmpdirValue, '/var/tmp') ||
-    isPathOrSubpath(tmpdirValue, sysTmpdir)
+    isPathOrSubpath(normalizedTmpdirValue, normalize('/tmp')) ||
+    isPathOrSubpath(normalizedTmpdirValue, normalize('/var/tmp')) ||
+    isPathOrSubpath(normalizedTmpdirValue, sysTmpdir)
   ) {
     return false;
   }
@@ -32,7 +35,7 @@ function isPathOrSubpath(path: string, basePath: string): boolean {
   if (path === basePath) {
     return true;
   }
-  // Ensure basePath ends with / for proper prefix matching
-  const baseWithSlash = basePath.endsWith('/') ? basePath : `${basePath}/`;
+  // Ensure basePath ends with the platform separator for proper prefix matching.
+  const baseWithSlash = basePath.endsWith(sep) ? basePath : `${basePath}${sep}`;
   return path.startsWith(baseWithSlash);
 }

src/core/shell.ts

@@ -20,12 +20,7 @@ export function splitShellCommands(command: string): string[][] {
   let i = 0;
 
   while (i < tokens.length) {
-    const token = tokens[i];
-    if (token === undefined) {
-      i++;
-      continue;
-    }
-
+    const token = tokens[i] as ParseEntry;
     if (isOperator(token)) {
       if (current.length > 0) {
         segments.push(current);
@@ -182,9 +177,6 @@ function parseEnvAssignment(token: string): { name: string; value: string } | nu
     return null;
   }
   const eqIdx = token.indexOf('=');
-  if (eqIdx < 0) {
-    return null;
-  }
   return { name: token.slice(0, eqIdx), value: token.slice(eqIdx + 1) };
 }
 

tests/bin/doctor/system-info.test.ts

@@ -80,6 +80,11 @@ describe('defaultVersionFetcher', () => {
     expect(result).toBeNull();
   });
 
+  test('returns null when spawn throws synchronously for invalid command input', async () => {
+    const result = await defaultVersionFetcher(['\u0000']);
+    expect(result).toBeNull();
+  });
+
   test('returns version for existing commands', async () => {
     const result = await defaultVersionFetcher(['bun', '--version']);
     expect(result).not.toBeNull();

tests/bin/explain/command.test.ts

@@ -333,6 +333,12 @@ describe('explainCommand guard parity fixes', () => {
     expect(result.result).toBe('allowed');
   });
 
+  test('Fix #3: TMPDIR traversal override blocks rm', () => {
+    const result = explainCommand('TMPDIR=/tmp/../root rm -rf $TMPDIR/foo', { cwd: '/tmp' });
+    expect(result.result).toBe('blocked');
+    expect(result.reason).toContain('rm -rf');
+  });
+
   test('Fix #4: fallback scan finds embedded git in non-head position', () => {
     const result = explainCommand('nice git reset --hard');
     expect(result.result).toBe('blocked');

tests/core/analyze/analyze-coverage.test.ts

@@ -136,6 +136,14 @@ describe('analyzeCommand (coverage)', () => {
     expect(result).toBeNull();
   });
 
+  test('TMPDIR traversal override blocks $TMPDIR', () => {
+    const result = analyzeCommand('TMPDIR=/tmp/../root rm -rf $TMPDIR/test-dir', {
+      cwd: '/tmp',
+      config: EMPTY_CONFIG,
+    });
+    expect(result?.reason).toContain('rm -rf');
+  });
+
   test('xargs child git command is analyzed', () => {
     const result = analyzeCommand('xargs git reset --hard', {
       cwd: '/tmp',