fix(permissions): flag wildcard and case-variant dangerous tool grants#32
Open
dmchaledev wants to merge 1 commit into
Open
fix(permissions): flag wildcard and case-variant dangerous tool grants#32dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
OVERPRIVILEGED_TOOL and UNRESTRICTED_FILE_ACCESS matched permission strings exactly and case-sensitively, so a grant strictly broader than a listed dangerous permission slipped through — and the whole scan reported PASSED. A tool with "permissions": ["*"] (grants everything), "shell:*" (broader than shell:exec), or "SHELL:EXEC" (case variant) produced no finding. For a CI/CD security gate, missing a maximally-overprivileged tool is a meaningful false negative. Fix: - OVERPRIVILEGED_TOOL: match a dangerous permission when the granted permission is an exact match, a global "*", or a category wildcard (e.g. shell:* covers shell:exec). Comparison is case-insensitive. Evidence reports the granted permission (original spelling) that fired. - UNRESTRICTED_FILE_ACCESS: normalize case and treat a global "*" as full filesystem access alongside the existing filesystem:* / read+write logic. Regression tests cover global/category wildcards, case variants, and negative cases (read-only, unrelated category wildcard). All 127 tests, typecheck, and lint pass; secure example still PASSES (no false positive), vulnerable example still FAILED. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013AmKB9ALSPnXTJsSMqvVhJ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A HIGH-severity false negative in the tool-permission rules: a grant that is strictly broader than a listed dangerous permission slips through, and the whole scan reports PASSED. The matching in
OVERPRIVILEGED_TOOL(src/rules/config-rules.ts) andUNRESTRICTED_FILE_ACCESS(src/rules/runtime-rules.ts) was exact-string and case-sensitive:So a tool granted the broadest possible permissions is not flagged:
permissions["*"]shell:exec["shell:*"]shell:exec)["SHELL:EXEC"]shell:exec, different case["filesystem:*"]filesystem:write)UNRESTRICTED_FILE_ACCESS, notOVERPRIVILEGED_TOOLRepro (built CLI at current
main)For a tool sold as a CI/CD security gate, a maximally-overprivileged tool passing silently is exactly the class of misconfiguration this scanner exists to catch.
Fix
OVERPRIVILEGED_TOOL— a granted permission now matches a dangerous one when it is an exact match, a global*, or a category wildcard that subsumes it (shell:*coversshell:exec). Comparison is case-insensitive. Evidence still reports the granted permission in its original spelling, so*/shell:*surface in the finding.UNRESTRICTED_FILE_ACCESS— normalize case and treat a global*as full filesystem access, alongside the existingfilesystem:*/ read+write logic.The change is localized to the two rules; the parser, scorer, and report shape are untouched. Detection only widens to subsuming grants — no rule fires on anything narrower than before, so there are no new false positives (the unrelated
logging:*case is covered by a negative test).Verification
npm run typecheck✓ ·npm run lint(0 warnings) ✓ ·npm test— 127 passed, 5 suites ✓ ·npm run build✓wild.jsonrepro now correctly FAILS (*andshell:*flagged).examples/secure-config.json→ still PASSED (no false positive).examples/vulnerable-config.json→ still FAILED (thefilesystem:*tool is now also correctly flaggedOVERPRIVILEGED_TOOL).UNRESTRICTED_FILE_ACCESSpreviously had no dedicated test block — one is added.Why this isn't a duplicate
None of the open issues (#11, #19, #26, #27) or open PRs (secrets #28/#29, traversal #31, TLS #18,
--rule#17/#25, CI #12/#20, docs) touch permission matching — they concern auth, transport, output paths, secrets, YAML, CLI, and CI. This closes a distinct false-negative class in the permission rules.Acceptance criteria
["*"]or["shell:*"]is flaggedOVERPRIVILEGED_TOOL.SHELL:EXECfires).["*"]andfilesystem:*are flaggedUNRESTRICTED_FILE_ACCESS.🤖 Generated with Claude Code
https://claude.ai/code/session_013AmKB9ALSPnXTJsSMqvVhJ
Generated by Claude Code