Skip to content

v1.0.3 — rescue allowlist hardening (CRITICAL RCE fix)

Choose a tag to compare

View all tags
@linxule linxule released this 28 May 19:45
· 17 commits to main since this release
v1.0.3
298f7f0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security release — rescue allowlist flag hardening (CRITICAL)

A whole-repo audit (2026-05-28) found that /kimi:rescue's command allowlist was default-deny on command names but trusted allowlisted commands with arbitrary flags. This let a /kimi:rescue session escape its workspace bound — including a CRITICAL remote/arbitrary command execution. All findings were verified against the real validateShellCommand before and after the fix.

Who is affected: users running /kimi:rescue (the only write-capable command) on versions ≤ 1.0.2. Read-only commands (/kimi:ask, /kimi:review, /kimi:challenge, review gate) were never affected — they deny all non-read tools. Upgrade to 1.0.3.

Fixed

Severity Example (allowed before, denied now) Impact
CRITICAL git grep --open-files-in-pager=touch /tmp/x needle git executes the flag value as a command — arbitrary command execution outside the workspace. Same class as the pre-subcommand git -c core.pager= defense, but smuggled via a subcommand flag.
HIGH go vet -vettool=/bin/x, go test -exec /bin/x executes an arbitrary binary
HIGH go build -o /tmp/x, sort -o /tmp/x, uniq - /tmp/x, ruff check -o /tmp/x writes a file outside the workspace
HIGH mypy --junit-xml /tmp/x, pytest --junitxml=/tmp/x report writers escape the workspace

Fix

  • A global check rejects flags whose value runs as a command/tool (--open-files-in-pager, -vettool, -toolexec, -exec, -execdir) for every binary; the git -O short form is rejected git-locally (avoids colliding with find -O<level>).
  • The bare -o write short form is rejected per-tool (go, ruff check, sort); uniq IN OUT is rejected in pipelines. The intentional read-only rg -o / grep -o are preserved.
  • mypy / pytest no longer get blanket approval — their report-writing flags are rejected.
  • Test runners (go test, cargo test, pytest) still execute workspace code by design; this is now documented as an explicit trust boundary in docs/safety.md.
  • Regression tests cover every payload plus still-allowed controls. bun run check green; the allowlist architecture (shell parsing, redirection/chaining rejection, symlink/.git containment) was verified sound — this was a flag-coverage completeness gap.

Also in this release

  • H7 (partial): local real-binary smokebun run smoke:real spawns the real kimi -p and proves read-only commands deny forced write attempts end-to-end. Opt-in; skipped by default so bun run check stays green without a kimi binary.

Verified against kimi-code 0.5.0. No upstream-compat changes.

🤖 Generated with Claude Code

Assets 2
Loading