Skip to content

v0.7.2 — security hardening (SSRF/UNC/TOCTOU/prompt-injection/PS quoting)

Choose a tag to compare

@limeflash limeflash released this 10 Jul 14:02

v0.7.2 — security hardening of the read-only commands

Found by dogfooding /agy:adversarial-review on the 0.7.x code (the plugin reviewing its own new security code — verdict: RETHINK). All five findings fixed:

  • SSRF bypasses via IPv6 encodings (::ffff:7f00:1, ::127.0.0.1, hex v4-mapped) and DNS tricks (127.0.0.1.nip.io) are now blocked; public hosts still pass.
  • Windows UNC/device paths (\localhost\c$\…\.ssh\…) are rejected by the doc-to-md path guard.
  • TOCTOU symlink swap on staging closed — doc-to-md stages via one Node step (lstat → reject symlink → copy), not a shell cp.
  • Prompt injection via filename closed — the staged file gets a fixed name (document.<ext>); the original filename never reaches the prompt.
  • PowerShell argument splitting fixed — agy-run.ps1 launches Node via System.Diagnostics.Process with proper quoting, so paths with spaces work.

Defense in depth: agy's env is stripped of CLAUDE_PROJECT_DIR / GIT_* for the read-only commands. 245 unit tests (8 new).

Please update to 0.7.2 if you use /agy:scrape or /agy:doc-to-md.