security: assail-classifications for 8/9 panic-attack #378 findings + delete unfilled flake.nix scaffold#405
Merged
Merged
Conversation
…findings panic-attack estate sweep flagged 9 Critical/High findings in this repo (issue #378). After per-finding triage, 8 of 9 are false positives or vendored-subtree concerns. The remaining 1 (affinescriptiser/flake.nix) was an unfilled scaffold leftover with {{PROJECT_NAME}} placeholders — deleted in the next commit rather than suppressed. Classifications added: UnboundedAllocation (4 sites) — all `std::fs::read_to_string` calls reading local user-authored TOML config/manifest/lockfile/source-file paths. Trust model is identical to rustc/cargo: the user is the operator; an attacker who can write multi-GB files to the user's ~/.config/ is already past the security boundary. Sites: - affinescriptiser/src/codegen/parser.rs (source path) - tools/affine-pkg/src/lockfile.rs (lockfile) - tools/affine-pkg/src/manifest.rs (manifest) - tools/affine-pkg/src/config.rs (global + project config) DynamicCodeExecution (2 sites): - tools/affine-doc/assets/search.js — pattern-matched a COMMENT explaining the code AVOIDS innerHTML. Render path uses .textContent throughout. Confirmed by reading the file. - road-skate/game/main.js — vendored subtree; fix in upstream hyperpolymath/road-skate, not this tree. SupplyChain (2 sites): - road-skate/flake.nix — vendored subtree. - affinescript-vite/flake.nix — vendored subtree. Schema cribbed from hyperpolymath/echidna/audits/assail-classifications.a2ml. Refs #378 Refs hyperpolymath/panic-attack#32 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The file had {{PROJECT_NAME}}, {{CURRENT_YEAR}}, {{AUTHOR}}, etc.
placeholders throughout — never instantiated from the project-scaffold
template. As-is it isn't a usable Nix flake (nix can't parse the
placeholders).
Not referenced by any tool: `grep -rln "affinescriptiser/flake"`
across .sh / .yml / .adoc / .md / .toml / .just returns empty. No
parent flake.nix at the affinescript root either (this is an OCaml +
AffineScript primary repo; Nix is fallback only at the sub-package
level, and the parent has guix.scm as the primary dev env).
Deleting honestly disposes of the unfilled template rather than
suppressing the panic-attack SupplyChain finding (unpinned inputs)
which is technically correct but moot for an un-parseable file. If
affinescriptiser ever needs a real flake.nix later, instantiate from
a fresh template with real values + input pinning + flake.lock.
This is the third commit of the #378 triage (one suppression file +
this delete; the other 8 findings are FPs covered in the suppression
file).
Refs #378
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 56 issues detected
View findings[
{
"reason": "Action actions/checkout@v6 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in affine-vscode-publish.yml",
"type": "unknown",
"file": "affine-vscode-publish.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "unknown",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "unknown",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "unknown",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "unknown",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "unknown",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "unknown",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Orphan branch surfaced during 2026-05-27 estate sweep — 2 commits ahead of main, no PR ever filed. Adds security audit classifications.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com