Skip to content

fix: symlink traversal, staged-content bypass, notifier test coverage#4

Closed
bokiko wants to merge 6 commits into
mainfrom
kyzn/20260331-analyze-fix-2f7df420
Closed

fix: symlink traversal, staged-content bypass, notifier test coverage#4
bokiko wants to merge 6 commits into
mainfrom
kyzn/20260331-analyze-fix-2f7df420

Conversation

@bokiko
Copy link
Copy Markdown
Owner

@bokiko bokiko commented Mar 30, 2026

Summary

  • SEC-001: scan_directory now explicitly skips symlinks and verifies each file resolves within the repo root — prevents reading files outside the repo via symlinks (e.g. /etc/passwd, ~/.ssh/)
  • BUG-001: _scan_staged now reads staged content via git show :<path> instead of the working-tree copy — closes the bypass where staging a secret then editing it away caused the pre-commit hook to approve the commit
  • TEST-001: New tests/test_notifier.py (14 tests) covering send_email, create_github_issue, and notify() — including dry-run, missing credentials, 403/404 handling, deduplication, and DB marking

Test plan

  • pytest tests/test_engine.py — all existing engine tests still pass
  • pytest tests/test_notifier.py — all 14 new notifier tests pass
  • pytest — full suite (143 tests) passes

🤖 Generated with Claude Code

bokiko and others added 4 commits March 30, 2026 23:58
@bokiko
KyZN(HIGH): fix 4 findings [run:20260330-234929-20461c76]
a87fbec
@bokiko
KyZN(MEDIUM): fix 10 findings [run:20260330-234929-20461c76]
a696647
@bokiko
KyZN(LOW): fix 5 findings [run:20260330-234929-20461c76]
8e2d3f7
@bokiko @claude
fix: symlink traversal in scan_directory, staged-content bypass in _s…
3e901db 
…can_staged, and notifier test coverage

- SEC-001: scan_directory now skips symlinks and verifies files resolve within repo root
- BUG-001: _scan_staged reads staged index content via `git show :<path>` instead of working tree files
- TEST-001: add tests/test_notifier.py with 14 tests covering send_email, create_github_issue, and notify()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented Mar 30, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@bokiko
Copy link
Copy Markdown
Owner Author

bokiko commented Mar 30, 2026

Closing: conflicts with PR #3 (now merged). The symlink traversal and staged-content bypass fixes from this PR should be re-evaluated on the updated main branch via a fresh kyzn fix run.

@bokiko bokiko closed this Mar 30, 2026
@bokiko bokiko deleted the kyzn/20260331-analyze-fix-2f7df420 branch April 6, 2026 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bokiko