claude-code

ros/claude-code

Fork 0

mirror of https://github.com/anthropics/claude-code.git synced 2026-01-30 04:02:03 +00:00

Commit Graph

Author	SHA1	Message	Date
Claude	ff0fdc0676	fix(security): Resolve symlinks before checking deny rules (CVE-2025-59829) This commit fixes a security vulnerability where deny rules could be bypassed by creating symbolic links to restricted files. Changes: - Add symlink resolution in rule_engine.py _extract_field method - Add symlink resolution in security_reminder_hook.py check_patterns - Create new symlink_deny_hook.py for blocking symlinks to system paths - Include Read tool in file event handlers for deny rule checking - Update hooks.json to apply security hooks to Read tool The vulnerability allowed attackers to bypass deny rules like Read(/etc/passwd) by creating a symlink (e.g., ln -s /etc/passwd test.txt) and then reading the symlink instead of the restricted file directly. The fix uses os.path.realpath() to resolve all symlinks to their canonical paths before checking against deny patterns, ensuring that deny rules are enforced regardless of whether the path is accessed directly or via symlink.	2026-01-08 20:08:08 +00:00
Daisy S. Hollman	59372c0921	feat: Add hookify plugin for custom hook rules via markdown Adds the hookify plugin to public marketplace. Enables users to create custom hooks using simple markdown configuration files instead of editing JSON. Key features: - Define rules with regex patterns to warn/block operations - Create rules from explicit instructions or conversation analysis - Pattern-based matching for bash commands, file edits, prompts, stop events - Enable/disable rules dynamically without editing code - Conversation analyzer agent finds problematic behaviors Changes from internal version: - Removed non-functional SessionStart hook (not registered in hooks.json) - Removed all sessionstart documentation and examples - Fixed restart documentation to consistently state "no restart needed" - Changed license from "Internal Anthropic use only" to "MIT License" - Kept test blocks in core modules (useful for developers) Plugin provides: - 4 commands: /hookify, /hookify:list, /hookify:configure, /hookify:help - 1 agent: conversation-analyzer - 1 skill: writing-rules - 4 hook types: PreToolUse, PostToolUse, Stop, UserPromptSubmit - 4 example rules ready to use All features functional and suitable for public use. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-17 03:18:43 -08:00

Author

SHA1

Message

Date

Claude

ff0fdc0676

fix(security): Resolve symlinks before checking deny rules (CVE-2025-59829)

This commit fixes a security vulnerability where deny rules could be
bypassed by creating symbolic links to restricted files.

Changes:
- Add symlink resolution in rule_engine.py _extract_field method
- Add symlink resolution in security_reminder_hook.py check_patterns
- Create new symlink_deny_hook.py for blocking symlinks to system paths
- Include Read tool in file event handlers for deny rule checking
- Update hooks.json to apply security hooks to Read tool

The vulnerability allowed attackers to bypass deny rules like
Read(/etc/passwd) by creating a symlink (e.g., ln -s /etc/passwd test.txt)
and then reading the symlink instead of the restricted file directly.

The fix uses os.path.realpath() to resolve all symlinks to their canonical
paths before checking against deny patterns, ensuring that deny rules are
enforced regardless of whether the path is accessed directly or via symlink.

2026-01-08 20:08:08 +00:00

Daisy S. Hollman

59372c0921

feat: Add hookify plugin for custom hook rules via markdown

Adds the hookify plugin to public marketplace. Enables users to create custom
hooks using simple markdown configuration files instead of editing JSON.

Key features:
- Define rules with regex patterns to warn/block operations
- Create rules from explicit instructions or conversation analysis
- Pattern-based matching for bash commands, file edits, prompts, stop events
- Enable/disable rules dynamically without editing code
- Conversation analyzer agent finds problematic behaviors

Changes from internal version:
- Removed non-functional SessionStart hook (not registered in hooks.json)
- Removed all sessionstart documentation and examples
- Fixed restart documentation to consistently state "no restart needed"
- Changed license from "Internal Anthropic use only" to "MIT License"
- Kept test blocks in core modules (useful for developers)

Plugin provides:
- 4 commands: /hookify, /hookify:list, /hookify:configure, /hookify:help
- 1 agent: conversation-analyzer
- 1 skill: writing-rules
- 4 hook types: PreToolUse, PostToolUse, Stop, UserPromptSubmit
- 4 example rules ready to use

All features functional and suitable for public use.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-17 03:18:43 -08:00

2 Commits