Skip to content

v0.4.5 — security hardening (bash.allow, audit redaction, cap validation)

Choose a tag to compare

View all tags
@hamr0 hamr0 released this 23 May 18:56
· 58 commits to main since this release
v0.4.5
1f9b511

Hardening follow-up to v0.4.4's audit. Three of the four remaining findings fixed; the fourth (allows()/askHuman) is documented rather than changed (it's correct for its pre-filter purpose).

Security

  • bash.allow fails closed on shell metacharacters. When allow is set, commands containing ; | & $ ` ( ) < > newline are denied (bash.allow.shellMeta) — a prefix allowlist can't bound what runs after a chain/pipe/substitution. Denies legit git log | head by design; use content.denyPatterns for chaining-aware screening.
  • Audit auto-redacts when secrets is configured. The gate redacts action/result/reason on every audit line at write time, so raw secrets never hit the JSONL. Eval runs on the unredacted action — matching is never weakened (and this is more correct than the old pre-check() redact pattern). reason is included because diagnostics can echo action data (e.g. net.invalidUrl embeds the URL).
  • raiseCap/topup reject negative & non-finite caps. A negative cap silently wedged the run in permanent halt; lowering a positive cap stays allowed.

Tests

Suite 93 → 100 (test/security-hardening.test.js), green on ubuntu/macos/windows × Node 20/22.

Full notes in CHANGELOG.

Assets 2
Loading