fix(secret-guard): strip quoted-heredoc bodies in call-detection#92
Merged
Conversation
PreToolUse hook blocked git commits whose message body mentioned secret-cache-read / op read / security find-generic-password (rule B2/B1/B2b false-positive). Two compounding causes in is_safe_secret_call: (1) the literal token sat inside a quoted-marker heredoc (<<'EOF'...EOF) which preserves the body as data, not a call, and (2) the existing $() strip regex \$\([^\(\)]*\) couldn't match when the body contained parens, so conventional-commit subjects defeated the substitution strip on every applicable commit. Prepend a quoted-heredoc body strip (awk, line-based) before the $() / backtick / <() strip in is_safe_secret_call. UNQUOTED markers stay under B6's purview unchanged. Adds tests 131/132/133 covering all three rules; tests confirmed red before fix and green after. Test suite 115/115; shellcheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ed-heredoc # Conflicts: # docs/sync-log.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
git commit -m "$(cat <<'INNER' ... INNER)"whose message body documented changes tosecret-cache-read/op read/security find-generic-password(rule B2/B1/B2b false-positive).is_safe_secret_call: (1) literal call-tokens inside a quoted-marker heredoc body are documentation, not invocations, and (2) the$()strip regex\$\([^\(\)]*\)can't match when the body contains parens, so conventional-commit subjects (feat(scope): ...) defeat the substitution strip.$()/ backtick /<()strip. UNQUOTED markers stay under B6's purview unchanged.Test plan
tests/secret-guard.shcases 131/132/133 (B2, B1, B2b inside<<'EOF'body)chezmoi applydeployed; original user repro now exits 0secret-cache-read/op read/security find-generic-passwordmentioned in body)🤖 Generated with Claude Code