Harden launchers/patchers from external audit + add CI#4
Merged
Conversation
Fixes from an external audit of the workaround launchers and patchers: - Windows wrappers no longer shell out to claude.cmd/.bat. They resolve the npm shim to node + cli.js and spawn with shell:false, failing closed if it cannot be resolved, so prompt/arg metacharacters (& | < > ^ % ") can no longer be interpreted locally. - Thinking launchers (bash + win.js) handle --flag=value forms and validate CC_THINKING_DISPLAY (summarized|omitted). - Context-icon patchers skip ambiguous multi-match bundles instead of replacing globally, matching fix-context-icon.py. - proxy.js strips hop-by-hop headers on both request and response paths and validates CC_THINKING_DISPLAY. - fix-context-icon.py writes via a same-directory temp + os.replace, preserving owner/group/mode, instead of truncate-in-place. - patch-extension.sh drops the Bash 4 mapfile for a portable read loop. - test-thinking-display.sh uses mktemp + trap and optional timeout. - Add tests/test_regressions.py (10 tests) covering the above, including the context-icon single-match happy path; ignore Python bytecode. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- .github/workflows/ci.yml runs bash -n, ShellCheck (severity=warning), node --check, py_compile, and the regression suite on push and PRs. ShellCheck gates at warning severity: the only findings are info-level SC2015 (A && B || C) notes where the C branch is the intended best-effort behavior. - Note in the #5 patcher test that the root-patches-user-owned-file chown path is not exercised by the single-user test and is verified by inspection only. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses an external (Codex) security/robustness audit of the workaround
launchers and patchers.
Fixes
claude.cmd/.bat. They resolve thenpm shim to
node+cli.jsand spawn withshell: false, failing closed ifunresolved, so prompt/arg metacharacters (
& | < > ^ % ") can no longer beinterpreted locally.
--flag=valueforms and validateCC_THINKING_DISPLAY(summarized|omitted).globally, matching
fix-context-icon.py.proxy.jsstrips hop-by-hop headers on both request and response paths andvalidates
CC_THINKING_DISPLAY.fix-context-icon.pywrites via a same-directory temp +os.replace,preserving owner/group/mode, instead of truncate-in-place.
patch-extension.shdrops the Bash 4mapfilefor a portable read loop.test-thinking-display.shusesmktemp+trapand optionaltimeout/gtimeout.Tests + CI
tests/test_regressions.py(10 tests) covering the above, including thecontext-icon single-match happy path and equals-form flag handling.
.github/workflows/ci.ymlrunsbash -n, ShellCheck (severity=warning),node --check,py_compile, and the regression suite on push and PRs.Known limitation
fix-context-icon.pycross-owner chown path (root patching a user-ownedbundle) is verified by inspection only; the single-user test cannot exercise it.