Fix GHSA-c6rj-wmf4-6963, add nushell hooks, cargo-vet, PKGBUILD LTO#51
Merged
Fix GHSA-c6rj-wmf4-6963, add nushell hooks, cargo-vet, PKGBUILD LTO#51
Conversation
Security (GHSA-c6rj-wmf4-6963): - audit.rs: refuse symlinks + O_NOFOLLOW via libc - last_trigger.rs: replace predictable tmp with NamedTempFile - receipt.rs: replace predictable tmp with NamedTempFile - runner.rs: replace predictable cache write with NamedTempFile - Move tempfile from dev-deps to deps, add libc unix dep Issue #34 — PKGBUILD LTO build failure: - Add options=(!lto) for ring crate compatibility - Bump pkgver to 0.1.9 Issue #35 — Nushell shell hook support: - Add warn-only nushell-hook.nu (pre_execution cannot block) - Wire into init, doctor, assets, PKGBUILD, deb packaging - Exact-match normalize_shell_name to avoid gnu* false positives Issue #36 — Cargo-vet supply-chain audit: - Add VetNotConfigured rule (Low severity, exec-only) - Add cargo_vet tier-1 pattern in build.rs - Skip vet check when cwd is unknown (golden fixture safety) - 6 deterministic unit tests for vet rule Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. [High] Make audit.rs symlink check cross-platform — move symlink_metadata check out of #[cfg(unix)] so Windows builds also refuse to follow symlinks. O_NOFOLLOW remains Unix-only. 2. [Medium] Fix nushell doctor guidance — replace predictable /tmp/tirith-nu-hook.nu path with safe sourcing instruction pointing to materialized hook directory. 3. [Medium] GHSA tests now exercise production functions — extract Receipt::save_to() and write_last_trigger_to() for testability. Tests call real code paths instead of recreating patterns. 4. [Low] Cargo detection handles Windows paths — split on both / and \ separators, strip .exe suffix before comparison. New test: test_vet_detects_cargo_exe_windows_path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. [High] audit.rs: add FILE_FLAG_OPEN_REPARSE_POINT (0x00200000) on Windows to prevent kernel-level symlink following, closing the TOCTOU race between symlink_metadata() and open(). 2. [Medium] doctor.rs: use resolved info.hook_dir for nushell source path instead of hardcoded ~/.local/share/tirith/... which breaks when XDG_DATA_HOME is customized. 3. [Low] command.rs: normalize cargo command name with eq_ignore_ascii_case and strip both .exe/.EXE suffixes so CARGO.EXE on Windows is detected by the vet rule. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Quote nushell hook path in doctor output to handle spaces/metacharacters - Normalize cargo binary name to lowercase before .exe stripping, handling mixed-case variants like Cargo.ExE on Windows Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nushell single-quoted strings are literal (no interpolation or escape sequences), so embedded double-quotes or special characters in the hook directory path cannot cause malformed output. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nushell single-quoted strings have no escape mechanism, so a path containing ' would produce malformed output. Switch to double-quoted Nushell string with \ and " escaped, which handles all path characters safely. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Merge origin/main (already up to date) - Fix single & segment boundary in split_raw_words (security) - Use exact match == TIRITH=0 (prevents false bypass) - Skip flags in resolve_command_wrapper - Remove dead code in is_tirith_command - Remove quote-stripping in is_env_assignment (callers handle this) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolved 12 conflicts by keeping main's improved code. Used main's audit.rs (without libc O_NOFOLLOW). Added dead_code allow for unused NUSHELL_HOOK constant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ct resolution The merge conflict resolution took main's versions of init.rs, command.rs, and build.rs, losing PR 51's unique features: - Nushell shell init support (match arm, normalize_shell_name, materialize) - cargo-vet check_vet_not_configured() rule with 8 tests - cargo_vet tier-1 pattern in build.rs - Updated command::check() signature to accept cwd and scan_context Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
🤖 Generated with Claude Code
Note
Add cargo vet check during Exec scans and introduce Nushell hooks across CLI and packaging to address GHSA-c6rj-wmf4-6963
Add a
VetNotConfiguredrule intirith-corethat flagscargo install/addwhensupply-chain/config.tomlis missing, passcwdandscan_contextintorules::command::check, and add Nushell hook support in CLI and packaging, including AURPKGBUILDLTO disable and asset installation.📍Where to Start
Start with
rules::command::checkand the new vet logic in command.rs, then see the callsite in engine.rs.Macroscope summarized 7c5168f.