Skip to content

Update README for v0.10.0#41

Merged
thebenignhacker merged 3 commits intomainfrom
docs/v0.10.0-readme
Mar 12, 2026
Merged

Update README for v0.10.0#41
thebenignhacker merged 3 commits intomainfrom
docs/v0.10.0-readme

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 12, 2026

Summary

  • Document the new --publish flag on secure, attack, and scan-soul commands
  • Add Registry Integration section explaining community vs full-weight publishing
  • Add --registry-url custom endpoint option to examples

Test plan

  • Build passes
  • All 838 tests pass
  • README renders correctly (no broken markdown)

@thebenignhacker
Bump version to 0.10.0
7c4e783
@thebenignhacker
Fix SSRF, TLS validation, and shell injection vulnerabilities
ce35178 
- Add protocol validation to external scanner (block file://, gopher://, etc.)
- Add warning when scanning private/reserved IPs (allowed since local testing is a core use case)
- Enable TLS certificate validation by default, controllable via insecure option
- Replace execSync shell interpolation with execFileSync to prevent shell injection in soul scanner
@thebenignhacker
Update README for v0.10.0 --publish flag
461f3b5
@thebenignhacker thebenignhacker merged commit a7104d6 into main Mar 12, 2026
1 check passed
@thebenignhacker thebenignhacker deleted the docs/v0.10.0-readme branch March 12, 2026 06:46
github-actions[bot]
github-actions bot approved these changes Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

VERDICT: APPROVE

SUMMARY: This is a documentation-focused PR that updates the README to document new --publish and --registry-url flags for version 0.10.0, along with version bumps in package files. The only code changes are minor improvements to the external scanner: protocol validation, private IP warnings, and fixing an insecure SSL default. After verifying the full source code, no security or correctness issues were introduced.

FINDINGS:
None. All potential security concerns were adequately mitigated:

  • Protocol validation (lines 73-82 in external-scanner.ts): Blocks dangerous protocols like file://, gopher://, allowing only http:// and https://. This prevents SSRF via protocol smuggling.

  • Private IP scanning (lines 61-72, 89-94): Detects RFC 1918 ranges and cloud metadata endpoints (169.254.169.254), logs a warning, but allows scanning to proceed — correct for a security scanner's legitimate use case.

  • SSL certificate validation (line 318 in external-scanner.ts): The fix corrects inverted logic from the previous code (rejectUnauthorized: false hardcoded). Now properly respects the insecure flag with correct boolean logic (rejectUnauthorized: !insecure), defaulting to secure (rejecting unauthorized certs).

  • Command injection mitigation (lines 562-564 in soul/scanner.ts): Replaced shell-interpolated execSync with execFileSync using array arguments, eliminating shell injection risk when passing the prompt to the claude CLI.

All changes pass the verification mandate — mitigations are present in the same code paths where vulnerabilities could have existed.

Reviewed 7 files changed (10577 bytes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker