Skip to content

Expand unicode stego detection, align taxonomy, fix release-test findings#58

Merged
thebenignhacker merged 6 commits intomainfrom
feat/unicode-stego-contribute
Mar 18, 2026
Merged

Expand unicode stego detection, align taxonomy, fix release-test findings#58
thebenignhacker merged 6 commits intomainfrom
feat/unicode-stego-contribute

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 18, 2026

Summary

  • Expand UNICODE-STEGO-001 detection: zero-width chars (U+200B-200D), mid-file BOM (U+FEFF, skip offset 0), bidi overrides (U+202A-202E, U+2066-2069). Severity: bidi/variation/tag = critical, zero-width-only = high
  • Add UNICODE-STEGO-005 homoglyph confusable detection: 20 Cyrillic/Greek/Fullwidth codepoints, skips comment lines, severity high
  • Expand scanned file types to include .py, .md, .txt, .yaml, .yml, .json, .toml
  • Add --ci flag to secure and scan-soul: suppresses prompts, defaults --no-contribute, exits non-zero on any findings
  • Align all taxonomy identifiers with OpenA2A Registry attack classes (27 mappings updated)
  • Fix scan --json outputting text prefix before JSON (P1 from release test)
  • Fix backup directory being scanned after --fix, causing phantom CRITICAL findings and stuck score
  • Fix rollback error referencing nonexistent "harden --fix" command
  • Shell-escape file paths in advisory fix command strings (security review finding)
  • Add buildContributionSummary() for transparency preview
  • 18 new test cases, 1050/1050 suite passes

Test plan

  • Unit tests: 1050/1050 pass (18 new unicode-stego tests)
  • Manual verification: 14/14 detection expectations pass (zero-width, BOM, bidi, homoglyphs, file types, negatives, severity rules, taxonomy mapping)
  • Fresh-user release test: 13/13 commands tested, all P1/P2 issues fixed
  • Security review: shell injection in fix strings fixed, no remaining CRITICAL/HIGH
  • HMA self-scan: all findings from test fixtures or self-detection patterns
  • Scan/fix/rescan loop: score improves correctly (0 -> 100 after fix, no phantom backup findings)
  • --ci flag: exits 1 on findings, exits 0 on clean, suppresses prompts

@thebenignhacker
feat: expand unicode stego detection with zero-width, BOM, bidi, homo…
a56095b 
…glyphs, and --ci flag

- Expand UNICODE-STEGO-001 to detect zero-width chars (U+200B-200D),
  mid-file BOM (U+FEFF, skip offset 0), and bidi overrides (U+202A-202E,
  U+2066-2069). Bidi/variation/tag = critical, zero-width-only = high.
- Add UNICODE-STEGO-005 homoglyph confusable detection for Cyrillic/Greek/
  Fullwidth characters that look identical to Latin. Skips comment lines.
- Expand scanned file types beyond JS/TS to include .py, .md, .txt, .yaml,
  .yml, .json, .toml.
- Add --ci flag to secure and scan-soul commands: suppresses interactive
  prompts, defaults --no-contribute, exits non-zero on any findings.
- Add buildContributionSummary() for transparency preview of contribution data.
- Map UNICODE-STEGO-005 to STEGO-INJECT in attack taxonomy.
- Add 18 new test cases covering all new detection patterns.
@thebenignhacker
fix: align taxonomy identifiers with OpenA2A Registry attack classes
d9ecff7 
HMA taxonomy.ts was using different attack class identifiers than the
registry seed data. Aligned all mappings to match registry identifiers:

- SOUL-OVERRIDE -> PHANTOM-SOUL (HB checks) + SOUL-HIJACK (HO checks)
- SOUL-COLLUDE -> SOUL-FORK
- SOUL-TH-005 -> SOUL-IMPERSONATE (was SOUL-INJECT)
- HV-DECEPTION/MANIPULATION/UNSAFE-CODE/RESOURCE-ABUSE -> SOUL-HV-001/002/003/004
- CRED-HARVEST -> RETROACTIVE-PRIV
- STEGO-INJECT -> UNICODE-STEGO
- SOUL-PERSIST -> HEARTBEAT-RCE
- SOUL-EXFIL -> SKILL-EXFIL
- ORG-SKILL-SUPPLY -> ORG-SKILL-SPREAD
- IDENTITY-SPOOF -> AGENT-IMPERSONATE
- DNA-FORGE -> BEHAVIORAL-IMPERSONATE
- SKILL-MEM -> SKILL-MEM-AMP
- SKILL-ADVERSARIAL -> SKILL-FRONTMATTER
@thebenignhacker
fix: release-test findings -- scan --json prefix and rollback error m…
9ffd9df 
…essage

- Fix P1: scan --json was outputting "Scanning..." text before JSON,
  breaking downstream JSON parsers. Now suppresses text in --json mode.
- Fix P3: rollback error referenced nonexistent "harden --fix" command,
  corrected to "secure --fix".
@thebenignhacker
fix: add ASKILL-002 to taxonomy mapping for SKILL-FRONTMATTER
18bc0ab 
Registry seed includes ASKILL-002 in SKILL-FRONTMATTER hmaCheckIds.
HMA taxonomy was missing this mapping.
@thebenignhacker
fix: exclude backup directory from scans and fix score regression
cb32c2b 
The .hackmyagent-backup/ directory (created by --fix) was being scanned
by findFilesMatching(), causing phantom CRITICAL findings on backup copies
of .env files. This made the scan/fix/rescan loop show no score improvement
because the backup itself created new findings.

Add .hackmyagent-backup to the skip list in findFilesMatching().
@thebenignhacker
fix: shell-escape file paths in advisory fix commands
7f97d77 
Security review found that relativePath was interpolated unsanitized
into shell commands in fix suggestion strings. A crafted filename with
shell metacharacters could be dangerous if a user copy-pastes the
suggested command.

- Add shellEscape() helper for xxd/grep suggestions (STEGO-001, -004)
- Use JSON.stringify() for node -e suggestions (STEGO-003, -005)
- Fix incorrect UTF-8 encoding in comment (EF 80 8B -> E2 80 8B)
github-actions[bot]
github-actions bot approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

Security Review: PR #58

VERDICT: APPROVE

SUMMARY:

This PR expands unicode steganography detection, adds homoglyph confusables scanning, fixes critical shell injection in advisory fix commands, resolves backup directory scanning bug, adds CI mode, and aligns taxonomy with OpenA2A Registry. All security findings from previous review have been adequately addressed. The shellEscape() function properly mitigates command injection risks in fix advisory strings. No new critical or high-severity vulnerabilities introduced.

FINDINGS:

None. All previous security issues have been mitigated:

Previous Review Findings — STATUS:

  1. [FIXED] Shell injection in fix commands: Now using shellEscape() function (lines 6884-6887 in scanner.ts) that wraps paths in single quotes and escapes embedded quotes. Applied to all three advisory fix commands (lines 6951, 7122, 7183).

  2. [FIXED] Backup directory scanning: .hackmyagent-backup now excluded from directory traversal (line 5464 in scanner.ts), preventing phantom CRITICAL findings after --fix operations.

  3. [VERIFIED] No ReDoS patterns: Unicode detection uses byte-level comparisons and bounded loops, not regex on untrusted input.

  4. [VERIFIED] No path traversal: Uses path.relative() for display only, no file operations on user-controlled paths.

  5. [VERIFIED] Array-based command execution: No shell interpolation risks (spawn/exec not used with user input).

Code Quality Notes (non-blocking):

  • shellEscape() implementation is correct (single-quote escaping)
  • Homoglyph detection skips comments to reduce false positives
  • CI mode properly suppresses prompts and returns non-zero exit codes
  • Taxonomy alignment changes are data-only mapping updates

Reviewed 5 files changed (35127 bytes)

@thebenignhacker thebenignhacker merged commit 46505e6 into main Mar 18, 2026
1 check passed
@thebenignhacker thebenignhacker deleted the feat/unicode-stego-contribute branch March 18, 2026 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker