Skip to content

feat: security pattern whitelist for output filters #443

New issue
New issue
Closed
#452
Closed
feat: security pattern whitelist for output filters#443
#452
Labels
securitySecurity hardeningtoolsTool execution and MCP integration
@bug-ops

Description

@bug-ops
bug-ops
opened on Feb 17, 2026

Parent

Epic #426, Plan: .local/plan/m26.1-output-filtering-improvements.md
Priority: P0 (security critical)

Problem

Aggressive filtering can hide security-critical warnings (e.g., unused Result on decrypt_password, panic traces, SQL injection patterns).

Design

SecurityPatterns struct with compiled regex list covering 6 categories:

  1. Rust compiler warnings (unused Result, panic at, unwrap())
  2. Unsafe code (unsafe code, FFI, raw pointer)
  3. Auth (authentication failed, unauthorized, 401/403)
  4. Crypto (weak cipher, deprecated algorithm, MD5, SHA-1)
  5. SQL/Injection (SQL injection, unsafe query)
  6. Dependencies (RUSTSEC-, security advisory)

All filters call security whitelist before returning. Appends preserved lines with visual separator. User-defined patterns via config (additive).

Acceptance Criteria

  • SecurityPatterns struct with regex list
  • extract_security_lines() method
  • Core patterns cover all 6 categories (18+ patterns)
  • All filters call security whitelist
  • Config for user-defined patterns
  • Unit tests for each category
  • Integration test: filter + security warning preservation
  • Performance: <10us for 100KB input

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity hardeningtoolsTool execution and MCP integration

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions