Skip to content

fix(security): harden Python hooks (injection + logging + audit)#4

Open
riaworks wants to merge 1 commit intomainfrom
fix/hooks-security-hardening
Open

fix(security): harden Python hooks (injection + logging + audit)#4
riaworks wants to merge 1 commit intomainfrom
fix/hooks-security-hardening

Conversation

@riaworks
Copy link
Owner

@riaworks riaworks commented Mar 1, 2026

Summary

  • Escape AppleScript injection in notification_system.py
  • Reduce excessive logging in continuous_save.py (2000→200 chars, metadata-only for tools)
  • Add audit trail for all file modifications in memory_updater.py
  • Replace execSync with execFileSync in gsd-check-update.js

Findings Addressed

Finding Severity File Fix
M-03 Medium (CVSS 5.5) notification_system.py Escape \ and " in AppleScript strings
M-07 Medium (CVSS 4.3) continuous_save.py Reduce truncation to 200 chars, log only metadata
M-10 Medium (CVSS 4.0) memory_updater.py Add logs/memory-audit.jsonl audit trail
L-07 Low (CVSS 2.0) .gitignore Already covered (__pycache__/ + *.py[cod])
L-11 Low (CVSS 2.5) gsd-check-update.js execFileSync + error handling + documented

Test plan

  • Trigger notification with title containing " and \ characters
  • Verify continuous_save.py logs max 200 chars per field
  • Verify tool_use entries only log safe metadata keys
  • Trigger memory update and verify logs/memory-audit.jsonl is written
  • Verify gsd-check-update.js still checks for updates without errors
  • Verify no __pycache__ files appear in git status

🤖 Generated with Claude Code

@riaworks @claude
fix(security): harden Python hooks against injection and data leakage
6604f95 
- notification_system.py: Escape backslashes and double quotes in
  AppleScript strings to prevent command injection via notification
  title/message (M-03)
- continuous_save.py: Reduce log truncation from 2000/500 to 200 chars,
  log only safe metadata keys from tool inputs instead of full content
  to prevent sensitive data leakage in session logs (M-07)
- memory_updater.py: Add audit_file_modification() that logs all file
  changes to logs/memory-audit.jsonl with timestamp, file path,
  modification type, and diff summary (M-10)
- gsd-check-update.js: Replace execSync with execFileSync (no shell),
  add error handling for cache writes, document as only hook with
  network access (L-11)

Findings addressed: M-03, M-07, M-10, L-07 (already covered), L-11

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riaworks