enhance dangerous pattern recognition in hooks: rf, force push, sql...#118
Conversation
…atterns, .env, <redacted>
Rosetta Triage ReviewSummary: This PR strengthens the Findings:
Suggestions:
Automated triage by Rosetta agent |
Rosetta Triage ReviewSummary: This PR significantly expands the dangerous-actions hook's detection coverage across six dimensions (G-1 through G-6): unified shell evaluation against all three pattern sets (bash, paths, content), robust Findings:
Suggestions:
Automated triage by Rosetta agent |
|
Critical issue identified: original and new code did redacting of secrets => this is breaking, this is not to be address by rosetta. |
Reconcile hook changes with main's "hooks normalization" / "Fix cursor hooks": - ide-rows/cursor.ts, ide-registry.ts: both sides added Cursor `Shell` → bash mapping; kept main's broadened `replace: ['Edit','Write']` + our doc comments. - evaluate.ts: kept our advise-tier / no-hard-deny semantics (main still had hard-deny, which our patterns.ts no longer defines), adopting main's debugLogHookBranch logging style. - Recompiled tracked dist/src; installed new json-cycle dep (package-lock). All 737 hook tests pass; tsc --noEmit clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rosetta Triage ReviewSummary: This PR improves the Findings:
Suggestions:
Automated triage by Rosetta agent |
|
@sveto We need to have a call, you do something really wrong with merging branches. I can see again as if you add read-once hook, while it should not even appear in your case. This PR is broken because of that. You merge somehow incorrect. |
|
Also on the call I told we don't need evidence, why is it there? What problem does this solve? |
…of PR diff) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… dist out of PR) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rmission change', 'credential file overwrite' etc.)
Rosetta Triage ReviewSummary: This PR improves the Findings:
Suggestions:
Automated triage by Rosetta agent |
Rosetta Triage ReviewSummary: Enhances the Findings:
Suggestions (optional):
Automated triage by Rosetta agent |
Task 1: dangerous-actions pattern coverage (jira #1646)
G-1:
evalBash(and MCP shell fields) runDANGEROUS_BASH+DANGEROUS_CONTENT. Path scanning of free-form shell strings (extractPathCandidates/stripQuotes) was added in G-1 but later dropped (see Task 2 simplification) -- a directWrite/Editto a key file still triggers the path check.G-2:
rm -r -fand similar commands with flags are now being catched, including situations where the flags are written after the folder name:rm myfolder/ -r -f,rm myfolder -rfetc; also including situations when a flag is inside quotation marks (rm '-rf').G-3: force push with
+prefix being catched, excluding cases where+means something else.G-4: dangerous SQL expressions are being catched, strictly before the first
;.G-5:
.envis now being catched before word end, like in.envandapp.env, but not.envfileorfoo.envx. -- reverted in Task 2.G-6: password-like expressions are now catched and republished as
KEY=<redacted>instead ofKEY=sk-proj-blablah. -- reverted in Task 2).Task 2: remove overreach ("guard AI actions, not user data") (jira #1754)
Two corrections from architecture review. Rosetta's job is a safety guard against unsolicited AI actions, not policing user input.
Secrets removed. Rosetta must not touch passwords / user data. G-6 fully reverted, G-5 fully reverted, secret content detectors (
inline-aws-key, PEM private key) removed.What remains from G-1's path set is narrowed to irreversible key/credential files (
id_rsa,.aws/credentials,.kube/config,.gnupg,.netrc,.pgpass) and reframed as a non-blockingadvisenotice -- same class asrm -rf.Hard-deny removed. All former hard-deny patterns (
rm -rf /,mkfs,dd,chmod -R 777,curl | sh) are now soft-deny (reconsider).Evidence is no longer redacted. The old
redactbranch is gone, the snippet is simply truncated when shown.Shell path-scan simplified.
extractPathCandidatesabdstripQuoteswere removed.Task 3: Bash/Shell (Cursor coverage) (jira #1651)
Cursor runs shell commands via a tool named
Shell, notBash, so the dangerous-actions hook never fired for shell commands in Cursor. Now it does.Task 4: Remove 'evidence', add pre-defined set of rejection reasons.
Mentioned during a tech call. Explored, fixed. There are now 9 possible reasons: unsafe data manipulation, unsafe schema modification, irreversible file deletion, git history rewrite, destructive device operation, unsafe permission change, remote code execution, unsafe infrastructure operation, credential file overwrite.