v0.7.2 — security hardening (SSRF/UNC/TOCTOU/prompt-injection/PS quoting)
v0.7.2 — security hardening of the read-only commands
Found by dogfooding /agy:adversarial-review on the 0.7.x code (the plugin reviewing its own new security code — verdict: RETHINK). All five findings fixed:
- SSRF bypasses via IPv6 encodings (
::ffff:7f00:1,::127.0.0.1, hex v4-mapped) and DNS tricks (127.0.0.1.nip.io) are now blocked; public hosts still pass. - Windows UNC/device paths (
\localhost\c$\…\.ssh\…) are rejected by the doc-to-md path guard. - TOCTOU symlink swap on staging closed — doc-to-md stages via one Node step (
lstat→ reject symlink → copy), not a shellcp. - Prompt injection via filename closed — the staged file gets a fixed name (
document.<ext>); the original filename never reaches the prompt. - PowerShell argument splitting fixed —
agy-run.ps1launches Node viaSystem.Diagnostics.Processwith proper quoting, so paths with spaces work.
Defense in depth: agy's env is stripped of CLAUDE_PROJECT_DIR / GIT_* for the read-only commands. 245 unit tests (8 new).
Please update to 0.7.2 if you use /agy:scrape or /agy:doc-to-md.