Close 5 more single-command bypasses from convergence verify (3.29.13)#95
Merged
Conversation
…verify (3.29.13) Round-8 — a second 13-agent convergence verify found 5 NEW classes the round-7 fixes didn't anticipate (1 critical). All fixed; benign controls kept. - HIGH rtk wildcard exec: rtk <cmd> blanket-allowed any wrapped command (rtk node evil.js => RCE). rtk is a rewriter; strip rtk/rtk-proxy prefix and recurse, like time/nice. gain/discover/--version stay safe. - CRITICAL quote/escape/ANSI-C splice on the wallet key: cat ~/.block''run/ .sess''ion read the EVM key — shell strips ''/""/backslash before opening, regex saw non-contiguous text. Deny patterns now run on a shell-normalized copy; $'..'/$".." treated as opaque. Closes all 4 key basenames. - HIGH broadened credential reads: ~/.git-credentials, gh hosts.yml, cargo/ rclone creds, ~/.config/solana/id.json (spendable Solana keypair), keychain, shell history now prompt. - LOW git branch/tag ref destruction: -d/-D/-m/-f delete/rename/force-move prompt; read + create forms stay safe. +4 regression test groups. Suite 504/504.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Round-8 — second convergence verify
A second 13-agent adversarial convergence verify of the 3.29.12 guards confirmed 5 NEW single-command bypass classes the round-7 fixes didn't anticipate. Each was traced through the real classifier and reproduced before fixing.
rtk node evil.js—rtkwrapper blanket-allowed any wrapped command (wildcard RCE)rtk/rtk proxyprefix and recurse; safety = wrapped command'scat ~/.block''run/.sess''ion— empty-quote / backslash / ANSI-C splice reads the EVM key$'…'/$"…"treated as opaquecat ~/.git-credentials— denylist missed gh hosts, cargo/rclone, Solana CLI keypair, keychain, shell historygit branch -d/git tag -d— ref destruction via read-only allowlist(The critical splice defeats the wallet directory rule itself — the shell strips
''/""/\before opening the file, but the literal regex saw non-contiguous text. Fixed by matching against a dequoted/unescaped normalization that mimics shell tokenization.)The recurring lesson: text-classifying shell commands for auto-approval is a denylist treadmill.
isWalletKeyPathon the file/media tools is the primary wallet guard; bash-guard is the best-effort shell net and now fails toward prompting on quoting, expansion, wrappers, and anything it can't statically resolve.Regression tests pin all five classes plus benign controls (wrapped-safe rtk, regex anchors, branch/tag create+list, project source files). Local suite 504/504.