fix(security): harden project settings trust boundary + MCP sanitization
- Sanitize MCP tool result text with recursivelySanitizeUnicode() to prevent Unicode injection via malicious MCP servers (tool definitions and prompts were already sanitized, but tool call results were not) - Read sandbox.enabled only from trusted settings sources (user, local, flag, policy) — exclude projectSettings to prevent malicious repos from silently disabling the sandbox via .claude/settings.json - Disable git hooks in plugin marketplace clone/pull/submodule operations with core.hooksPath=/dev/null to prevent code execution from cloned repos - Remove ANTHROPIC_FOUNDRY_API_KEY from SAFE_ENV_VARS to prevent credential injection from project-scoped settings without trust verification - Add ssrfGuardedLookup to WebFetch HTTP requests to block DNS rebinding attacks that could reach cloud metadata or internal services Security: closes trust boundary gap where project settings could override security-critical configuration. Follows the existing pattern established by hasAllowBypassPermissionsMode() which already excludes projectSettings. Co-authored-by: auriti <auriti@users.noreply.github.com>
This commit is contained in:
Juan Camilo
@@ -532,6 +532,7 @@ export async function gitPull(
|
||||
): Promise<{ code: number; stderr: string }> {
|
||||
logForDebugging(`git pull: cwd=${cwd} ref=${ref ?? 'default'}`)
|
||||
const env = { ...process.env, ...GIT_NO_PROMPT_ENV }
|
||||
const baseArgs = ['-c', 'core.hooksPath=/dev/null']
|
||||
const credentialArgs = options?.disableCredentialHelper
|
||||
? ['-c', 'credential.helper=']
|
||||
: []
|
||||
@@ -539,7 +540,7 @@ export async function gitPull(
|
||||
if (ref) {
|
||||
const fetchResult = await execFileNoThrowWithCwd(
|
||||
gitExe(),
|
||||
[...credentialArgs, 'fetch', 'origin', ref],
|
||||
[...baseArgs, ...credentialArgs, 'fetch', 'origin', ref],
|
||||
{ cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
|
||||
)
|
||||
|
||||
@@ -549,7 +550,7 @@ export async function gitPull(
|
||||
|
||||
const checkoutResult = await execFileNoThrowWithCwd(
|
||||
gitExe(),
|
||||
[...credentialArgs, 'checkout', ref],
|
||||
[...baseArgs, ...credentialArgs, 'checkout', ref],
|
||||
{ cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
|
||||
)
|
||||
|
||||
@@ -559,7 +560,7 @@ export async function gitPull(
|
||||
|
||||
const pullResult = await execFileNoThrowWithCwd(
|
||||
gitExe(),
|
||||
[...credentialArgs, 'pull', 'origin', ref],
|
||||
[...baseArgs, ...credentialArgs, 'pull', 'origin', ref],
|
||||
{ cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
|
||||
)
|
||||
if (pullResult.code !== 0) {
|
||||
@@ -571,7 +572,7 @@ export async function gitPull(
|
||||
|
||||
const result = await execFileNoThrowWithCwd(
|
||||
gitExe(),
|
||||
[...credentialArgs, 'pull', 'origin', 'HEAD'],
|
||||
[...baseArgs, ...credentialArgs, 'pull', 'origin', 'HEAD'],
|
||||
{ cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
|
||||
)
|
||||
if (result.code !== 0) {
|
||||
@@ -625,6 +626,8 @@ async function gitSubmoduleUpdate(
|
||||
[
|
||||
'-c',
|
||||
'core.sshCommand=ssh -o BatchMode=yes -o StrictHostKeyChecking=yes',
|
||||
'-c',
|
||||
'core.hooksPath=/dev/null',
|
||||
...credentialArgs,
|
||||
'submodule',
|
||||
'update',
|
||||
@@ -810,6 +813,8 @@ export async function gitClone(
|
||||
const args = [
|
||||
'-c',
|
||||
'core.sshCommand=ssh -o BatchMode=yes -o StrictHostKeyChecking=yes',
|
||||
'-c',
|
||||
'core.hooksPath=/dev/null',
|
||||
'clone',
|
||||
'--depth',
|
||||
'1',
|
||||
|
||||
Reference in New Issue
Block a user