From fe4baad522fc01a3c538b5e71be8dde4c22b58fc Mon Sep 17 00:00:00 2001 From: Claude Code Date: Tue, 21 Apr 2026 06:44:57 +0000 Subject: [PATCH] fix: validate KEY against allowlist in read_config.sh KEY was interpolated directly into grep -E as a regex pattern without validation. Callers currently only pass literal strings ("git", "session_capture"), but any future caller passing untrusted input could trigger unexpected regex matches. An allowlist ensures only known keys can be queried, making the safe path the only path. Co-Authored-By: Claude Code --- hooks/scripts/read_config.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hooks/scripts/read_config.sh b/hooks/scripts/read_config.sh index c4130cd..cac3801 100755 --- a/hooks/scripts/read_config.sh +++ b/hooks/scripts/read_config.sh @@ -16,6 +16,12 @@ if [ -z "$KEY" ]; then exit 0 fi +# Allowlist: only accept known config keys to prevent regex injection +case "$KEY" in + git|session_capture) ;; + *) echo "$DEFAULT"; exit 0 ;; +esac + # Find project root — use CLAUDE_PROJECT_DIR if set, otherwise walk up PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}" CONFIG_FILE="$PROJECT_DIR/.arscontexta"