Add environment variable and network destination detection#46
Merged
Add environment variable and network destination detection#46
Conversation
… handler, error handling - Add private_network_ip tier-1 pattern in build.rs for bare IPs without scheme - Add host validation in extract_host_from_arg (reject empty, /, [ hosts) - Fix Fish set handler to collect value parts instead of empty string - Add bare-IP private network fixture and update no_url_rules safeguard - Improve audit.rs error handling: log failures instead of silently ignoring - Fix collapsible else-if clippy lint in check.rs - Improve error reporting in run.rs and score.rs JSON output Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
push_segment() incorrectly treated VAR=VALUE as the command token. Now skips leading environment variable assignments to find the real command. Adds pub is_env_assignment() helper for use by engine bypass detection. Fixes: TIRITH=0 curl evil.com now correctly identifies curl as command. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add command-aware output-flag skipping for curl (-o/--output) and wget (-O/-OFILE/--output-document). Extract URLs from command+args instead of raw segment text to avoid matching URLs in env-prefix values. Add conservative non-TLD file extensions (.png, .jpg, .mp4, etc.) to schemeless host exclusion list. Fixes issue #33. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…paths Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Run cargo fmt --all - Fix uninlined_format_args clippy lints in cli_integration tests - Add .cargo/audit.toml ignoring RUSTSEC-2026-0009 (time crate DoS, not exploitable in our usage, fix requires Rust 1.88) - Add same ignore to deny.toml
- Merge origin/main (glibc build fix) - Fix single & segment boundary in split_raw_words (security) - Use exact match == TIRITH=0 (prevents false bypass) - Skip flags in resolve_command_wrapper - Remove dead code in is_tirith_command Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolved 18 conflicts by keeping main's improved code. Replaced engine.rs with main's version to fix duplicate function definitions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
🤖 Generated with Claude Code
Note
Treat environment variable names case-insensitively in
rules::command.classify_env_varin command.rs to support environment variable and network destination detectionAdd ASCII uppercasing of the input name before membership checks in
rules::command.classify_env_varin command.rs.📍Where to Start
Start with
rules::command.classify_env_varin command.rs.Macroscope summarized a320896.