Inicio Explorar Axuda
Iniciar sesión
logic855
/
claude-mods
réplica de https://github.com/0xDarkMatter/claude-mods.git
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 10a7602bf0
Ramas Etiquetas
claude-mods
/
hooks
/
pre-commit-unicode-scan.sh

pre-commit-unicode-scan.sh 4.3 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. #!/bin/bash
    2. 

  2. # hooks/pre-commit-unicode-scan.sh
    3. 

  3. # Git pre-commit hook — refuse commits that ADD hidden Unicode to instruction files.
    4. 

  4. #
    5. 

  5. # This is a GIT hook (not a Claude Code hook). It catches the one case nothing at
    6. 

  6. # read-time can: a poisoned CLAUDE.md / AGENTS.md / SKILL.md / .cursorrules entering
    7. 

  7. # the repo via your own commit (PR, template, or pasted-from-untrusted-source content).
    8. 

  8. #
    9. 

  9. # Install (per repo):
    10. 

  10. #   ln -sf ../../hooks/pre-commit-unicode-scan.sh .git/hooks/pre-commit
    11. 

  11. #   # or, if combining with other pre-commit logic, call it from your existing hook:
    12. 

  12. #   #   bash hooks/pre-commit-unicode-scan.sh || exit 1
    13. 

  13. #
    14. 

  14. # Behaviour (silent guardian, severity-graded):
    15. 

  15. #   clean              → no output, exit 0 (commit proceeds)
    16. 

  16. #   high/medium finding→ warning to stderr, exit 0 (commit proceeds — legit in
    17. 

  17. #                        multilingual files; you decide)
    18. 

  18. #   critical finding   → block message to stderr, exit 1 (commit refused — tag-block /
    19. 

  19. #                        bidi override are never legitimate; sanitise first)
    20. 

  20. #
    21. 

  21. # Override a block once (you've confirmed it's intentional, e.g. a doc demonstrating
    22. 

  22. # an attack as a literal): PROMPT_INJECTION_ALLOW=1 git commit ...
    23. 

  23. #
    24. 

  24. # Exit codes:
    25. 

  25. #   0 = allow commit (clean, advisory-only finding, or scanner/python unavailable)
    26. 

  26. #   1 = block commit (critical finding, not overridden)
    27. 

  27. 

  28. set -uo pipefail   # NOT -e: only an explicit critical finding should block
    29. 

  29. 

  30. # ── Locate the scanner (repo + installed layouts share the hooks/ ↔ skills/ sibling) ─
    31. 

  31. SELF_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" 2>/dev/null && pwd)"
    32. 

  32. SCANNER=""
    33. 

  33. for cand in \
    34. 

  34.   "$SELF_DIR/../skills/prompt-injection-defense/scripts/scan-hidden-unicode.py" \
    35. 

  35.   "$HOME/.claude/skills/prompt-injection-defense/scripts/scan-hidden-unicode.py"; do
    36. 

  36.   [ -f "$cand" ] && { SCANNER="$cand"; break; }
    37. 

  37. done
    38. 

  38. [ -n "$SCANNER" ] || exit 0   # scanner not installed → don't break commits
    39. 

  39. 

  40. PY=""
    41. 

  41. for c in python3 python py; do
    42. 

  42.   command -v "$c" >/dev/null 2>&1 && "$c" -c "import sys" >/dev/null 2>&1 && { PY="$c"; break; }
    43. 

  43. done
    44. 

  44. [ -n "$PY" ] || exit 0
    45. 

  45. 

  46. # ── Staged added/modified instruction files ───────────────────────────────────
    47. 

  47. INSTR_RE='\.(md|mdc)$|(^|/)(CLAUDE|AGENTS|GEMINI|COPILOT|CURSOR|WARP)\.md$|(^|/)\.(cursorrules|windsurfrules|clinerules)$'
    48. 

  48. mapfile -t FILES < <(git diff --cached --name-only --diff-filter=AM 2>/dev/null | grep -iE "$INSTR_RE" || true)
    49. 

  49. [ "${#FILES[@]}" -eq 0 ] && exit 0   # no instruction files staged → silent
    50. 

  50. 

  51. # Only scan files that exist in the working tree (staged content on disk).
    52. 

  52. EXIST=()
    53. 

  53. for f in "${FILES[@]}"; do [ -f "$f" ] && EXIST+=("$f"); done
    54. 

  54. [ "${#EXIST[@]}" -eq 0 ] && exit 0
    55. 

  55. 

  56. # ── Scan with --json to read the worst severity ───────────────────────────────
    57. 

  57. JSON="$("$PY" "$SCANNER" --json "${EXIST[@]}" 2>/dev/null)"
    58. 

  58. RC=$?
    59. 

  59. [ "$RC" -eq 0 ] && exit 0   # clean → silent, commit proceeds
    60. 

  60. 

  61. WORST="$(printf '%s' "$JSON" | "$PY" -c 'import sys,json
    62. 

  62. try: print(json.load(sys.stdin)["meta"]["worst_severity"])
    63. 

  63. except Exception: print("unknown")' 2>/dev/null)"
    64. 

  64. 

  65. # Human-readable finding lines (file:line:col band) for the message.
    66. 

  66. DETAIL="$("$PY" "$SCANNER" "${EXIST[@]}" 2>/dev/null | head -20)"
    67. 

  67. 

  68. if [ "$WORST" = "critical" ]; then
    69. 

  69.   if [ "${PROMPT_INJECTION_ALLOW:-0}" = "1" ]; then
    70. 

  70.     echo "prompt-injection: CRITICAL hidden-Unicode in staged instruction files —" >&2
    71. 

  71.     echo "  allowed by PROMPT_INJECTION_ALLOW=1. Make sure this is intentional." >&2
    72. 

  72.     exit 0
    73. 

  73.   fi
    74. 

  74.   {
    75. 

  75.     echo "COMMIT BLOCKED — prompt-injection-defense"
    76. 

  76.     echo "Critical hidden-Unicode (tag-block ASCII smuggling or bidi override) in staged"
    77. 

  77.     echo "instruction files. These render as nothing / reorder text — never legitimate here:"
    78. 

  78.     echo ""
    79. 

  79.     printf '%s\n' "$DETAIL"
    80. 

  80.     echo ""
    81. 

  81.     echo "Fix:  python <skills>/prompt-injection-defense/scripts/sanitize-content.py <file> -o <file>"
    82. 

  82.     echo "Then re-stage and commit. Override (only if intentional, e.g. an attack-demo doc):"
    83. 

  83.     echo "  PROMPT_INJECTION_ALLOW=1 git commit ..."
    84. 

  84.   } >&2
    85. 

  85.   exit 1
    86. 

  86. fi
    87. 

  87. 

  88. # high / medium → advisory, allow the commit
    89. 

  89. {
    90. 

  90.   echo "prompt-injection ADVISORY: ${WORST}-severity hidden-Unicode in staged instruction files."
    91. 

  91.   echo "Legitimate in genuinely multilingual text; suspicious otherwise. Commit allowed."
    92. 

  92.   printf '%s\n' "$DETAIL" | head -8
    93. 

  93. } >&2
    94. 

  94. exit 0
    95.