Skip to content

[compiler-threat-spec] spec: add CTR-013 Argument Injection via Package/Image Names#31401

Merged
pelikhan merged 1 commit into
mainfrom
spec/add-ctr-013-argument-injection-1b349d9640e725c3
May 11, 2026
Merged

[compiler-threat-spec] spec: add CTR-013 Argument Injection via Package/Image Names#31401
pelikhan merged 1 commit into
mainfrom
spec/add-ctr-013-argument-injection-1b349d9640e725c3

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 11, 2026

Summary

This PR adds CTR-013 to the compiler threat detection specification, covering the argument injection defense already implemented in the compiler (merged in #31377).

Threat Reviewed

CTR-013 – Argument Injection via Package/Image Names: Package names (npm/npx, pip/uv) and container image names starting with - are passed directly to exec.Command calls. A name like --privileged or -exploit would be interpreted as a CLI flag rather than a package/image name, enabling argument injection.

Coverage Status

Threat Already Covered? Action
CTR-013 Argument Injection via Package/Image Names ✅ Yes — implemented in name_validation.go, npm_validation.go, pip_validation.go, docker_validation.go Added to spec
CTR-001 through CTR-012 ✅ Already in spec No change

Changes

  • specs/compiler-threat-detection-spec.md
    • Version bumped to 1.0.3
    • CTR-013 added to Section 4.1 core rule catalog
    • T-CTR-013 test ID added to Section 7.1
    • CTR-013 row added to Section 6.1 implementation mapping table
    • Change log entry added

Implementation References

  • pkg/workflow/name_validation.go — shared rejectHyphenPrefixPackages helper
  • pkg/workflow/npm_validation.go — npm/npx guard
  • pkg/workflow/pip_validation.go — pip/uv guard
  • pkg/workflow/docker_validation.go — Docker image guard
  • pkg/workflow/argument_injection_test.go — test coverage

References: §25648717297

Generated by Daily Compiler Threat Spec Optimizer · ● 14.6M ·

  • expires on May 18, 2026, 3:34 AM UTC

@github-actions
spec: add CTR-013 Argument Injection via Package/Image Names
e4a70b7 
Add CTR-013 to the compiler threat detection specification to cover
the argument injection defense already implemented in the compiler.

Package and container image names starting with '-' are rejected at
compile time before being passed to exec.Command calls (npm/npx,
pip/uv, Docker), preventing hyphen-prefix names from being interpreted
as CLI flags.

- Add CTR-013 rule to Section 4.1 core rule catalog
- Add T-CTR-013 test ID to Section 7.1 test catalog
- Add CTR-013 row to Section 6.1 implementation mapping table
- Bump version to 1.0.3 and update change log

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@pelikhan pelikhan merged commit 2d2b117 into main May 11, 2026
@pelikhan pelikhan deleted the spec/add-ctr-013-argument-injection-1b349d9640e725c3 branch May 11, 2026 03:50
This was referenced May 11, 2026
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation compiler security specification

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan