From 8d8aa53c6111c2f259c5142188e93602c3139bba Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 13 Dec 2025 11:09:15 +0000 Subject: [PATCH 1/2] fix(security): prevent command injection in test-hook.sh The test-hook.sh script had a command injection vulnerability where the hook script path was used unquoted in a bash -c context: output=$(timeout "$TIMEOUT" bash -c "cat '$TEST_INPUT' | $HOOK_SCRIPT") This allowed potential code execution if a malicious path was provided. Changes: - Add input validation to reject paths with shell metacharacters - Use a flag to track executable status instead of modifying the path - Use proper argument passing via bash -c positional parameters - Arguments are now safely passed as $1 and $2 instead of string concat The fix uses the pattern: bash -c 'cat "$1" | "$2"' -- "$TEST_INPUT" "$HOOK_SCRIPT" This ensures paths are treated as literal strings, not shell code. --- .../hook-development/scripts/test-hook.sh | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh b/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh index 527b119..1d10b41 100755 --- a/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh +++ b/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh @@ -141,9 +141,19 @@ if [ ! -f "$HOOK_SCRIPT" ]; then exit 1 fi +# Security: Validate hook script path doesn't contain dangerous characters +# This prevents potential command injection through maliciously crafted paths +if [[ "$HOOK_SCRIPT" =~ [\;\|\&\`\$\(\)\{\}\<\>] ]]; then + echo "❌ Error: Hook script path contains invalid characters" + echo " Path must not contain: ; | & \` \$ ( ) { } < >" + exit 1 +fi + +# Track if we need to invoke with bash explicitly +HOOK_IS_EXECUTABLE=true if [ ! -x "$HOOK_SCRIPT" ]; then echo "⚠️ Warning: Hook script is not executable. Attempting to run with bash..." - HOOK_SCRIPT="bash $HOOK_SCRIPT" + HOOK_IS_EXECUTABLE=false fi if [ ! -f "$TEST_INPUT" ]; then @@ -187,7 +197,13 @@ echo "" start_time=$(date +%s) set +e -output=$(timeout "$TIMEOUT" bash -c "cat '$TEST_INPUT' | $HOOK_SCRIPT" 2>&1) +# Use proper argument passing to prevent command injection +# Arguments are passed safely via bash -c's positional parameters +if [ "$HOOK_IS_EXECUTABLE" = true ]; then + output=$(timeout "$TIMEOUT" bash -c 'cat "$1" | "$2"' -- "$TEST_INPUT" "$HOOK_SCRIPT" 2>&1) +else + output=$(timeout "$TIMEOUT" bash -c 'cat "$1" | bash "$2"' -- "$TEST_INPUT" "$HOOK_SCRIPT" 2>&1) +fi exit_code=$? set -e From 3b2937635252d02c54304351bd3174c425d383be Mon Sep 17 00:00:00 2001 From: Steve Nims Date: Sat, 13 Dec 2025 06:39:39 -0500 Subject: [PATCH 2/2] fix(security): add TEST_INPUT path validation for defense-in-depth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mirrors the HOOK_SCRIPT validation to ensure consistency and defense-in-depth, even though the positional parameter approach already protects against injection. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .../skills/hook-development/scripts/test-hook.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh b/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh index 1d10b41..8c9b82d 100755 --- a/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh +++ b/plugins/plugin-dev/skills/hook-development/scripts/test-hook.sh @@ -161,6 +161,14 @@ if [ ! -f "$TEST_INPUT" ]; then exit 1 fi +# Security: Validate test input path doesn't contain dangerous characters +# This mirrors the HOOK_SCRIPT validation for defense-in-depth +if [[ "$TEST_INPUT" =~ [\;\|\&\`\$\(\)\{\}\<\>] ]]; then + echo "❌ Error: Test input path contains invalid characters" + echo " Path must not contain: ; | & \` \$ ( ) { } < >" + exit 1 +fi + # Validate test input JSON if ! jq empty "$TEST_INPUT" 2>/dev/null; then echo "❌ Error: Test input is not valid JSON"