Elgato_dark/ring
1
0
Fork 0
mirror of https://github.com/LerianStudio/ring synced 2026-04-21 21:47:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
ring/lib
History
Fred Amaral 726ed9523d security: fix CVE-1 and CVE-2 in compliance-validator.sh 
Fixed 2 CRITICAL security vulnerabilities in compliance-validator.sh:

**CVE-1: Arbitrary Command Execution**
- Vulnerability: bash -c executed patterns from YAML without validation
- Location: Lines 113-116, 120-124 (command_succeeds, command_output_contains)
- Fix:
  * Implemented command whitelist (git, npm, yarn, pytest, jest, make, cargo, go, python)
  * Added validate_command() to check against whitelist
  * Added safe_run_command() with 30-second timeout
  * All commands now validated before execution
  * Proper error messages for rejected commands

**CVE-2: Command Injection via Patterns**
- Vulnerability: Unquoted patterns in git_diff_order case statements
- Location: Lines 127-184
- Fix:
  * Added validate_pattern() to sanitize glob patterns
  * Reject patterns with dangerous chars (; & $ \` ( ) < > \\)
  * Sanitize patterns using tr -d before use in case statements
  * Validate pipe-separated pattern format

**Security Enhancements:**
- Whitelisted commands: git, npm, yarn, pytest, jest, make, cargo, go, python, python3, node
- Command timeout: 30 seconds max (with macOS compatibility)
- Pattern validation: Block special characters that could enable injection
- Input sanitization: Remove dangerous chars from patterns before use

**Testing:**
- Created comprehensive security test suite (10 tests)
- All tests pass:
  * CVE-1 command injection prevention (4 tests)
  * CVE-2 pattern injection prevention (2 tests)
  * Timeout protection
  * Whitelisted command execution
  * Multiple injection attempts
  * Command chaining prevention

Test results: 10/10 passed

Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-03 13:57:36 -03:00
..
common.sh fix(lib): resolve all Critical and High priority review issues 2025-11-03 13:29:31 -03:00
compliance-validator.sh security: fix CVE-1 and CVE-2 in compliance-validator.sh 2025-11-03 13:57:36 -03:00
initialize-skills.sh init repo 2025-10-30 13:17:57 -07:00
metrics-tracker.sh feat(metrics): add idempotency with event-id deduplication 2025-11-03 13:41:59 -03:00
output-validator.sh fix(output-validator): add end-of-line anchor to VERDICT regex 2025-11-03 13:42:15 -03:00
preflight-checker.sh feat(preflight): support all prerequisite types 2025-11-03 13:42:27 -03:00
README.md feat(lib): create infrastructure library directory 2025-11-03 13:06:21 -03:00
skill-composer.sh fix(lib): resolve all Critical and High priority review issues 2025-11-03 13:29:31 -03:00
skill-matcher.sh fix(skill-matcher): enforce top 5 limit using head 2025-11-03 13:42:07 -03:00

README.md

Ring Infrastructure Library

Utility scripts for skills/agents orchestration, validation, and metrics.

Components

  • compliance-validator.sh - Validates skill adherence to compliance rules
  • output-validator.sh - Validates agent output against schema
  • preflight-checker.sh - Runs prerequisite checks before skills
  • skill-matcher.sh - Maps tasks to relevant skills
  • skill-composer.sh - Suggests next skill based on context
  • metrics-tracker.sh - Tracks skill/agent usage and effectiveness

Usage

All scripts are invoked by orchestrators, commands, or skills. Not intended for direct CLI use.

Testing

See testing/test-lib-*.md for test cases.