Skip to content

Security: AssafWoo/homebrew-pandafilter

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in PandaFilter, please do not open a public GitHub issue.

Report it privately via GitHub's built-in security advisory system: πŸ‘‰ Open a private security advisory

  • Response time: We aim to acknowledge reports within 48 hours
  • Disclosure: We follow responsible disclosure practices (90-day embargo)

Why PandaFilter Is Sensitive

PandaFilter is a CLI tool that sits between Claude Code and your shell. It:

  • Intercepts and rewrites shell commands via a PreToolUse hook
  • Reads and compresses tool output via a PostToolUse hook
  • Executes commands on your behalf via panda run

This makes the following attack surfaces especially important:

High-Risk Files

Tier 1: Command Interception & Execution

  • ccr/src/hook.rs β€” PostToolUse hook, processes all tool output
  • ccr/src/cmd/run.rs β€” Executes commands on behalf of Claude Code
  • ccr/src/cmd/rewrite.rs β€” Rewrites commands before execution (injection risk)
  • ccr/src/main.rs β€” init() writes hooks into ~/.claude/settings.json
  • hooks/panda-rewrite.sh / ~/.claude/hooks/panda-rewrite.sh β€” Shell hook that intercepts every Bash tool call in Claude Code

Tier 2: Input Handling

  • ccr/src/handlers/*.rs β€” Per-command output filters (parse untrusted command output)
  • ccr/src/session.rs β€” Session state persistence
  • ccr/src/noise_learner.rs β€” Learns and persists patterns from command output

Tier 3: Supply Chain & CI/CD

  • Cargo.toml β€” Dependency manifest
  • .github/workflows/*.yml β€” Release pipeline (produces signed binaries)

Dangerous Patterns We Watch For

Pattern Risk
Command::new("sh").arg("-c") Shell injection via user input
.env("LD_PRELOAD") Library hijacking
reqwest::, std::net:: Unexpected network/exfiltration
unsafe { Bypasses Rust memory safety
Hardcoded secrets or tokens Credential exposure
Base64/hex encoded strings Obfuscation of malicious payloads
Time-based conditionals Logic bombs

Dependency Policy

New dependencies added to Cargo.toml must meet:

  • Downloads: >10,000 on crates.io
  • License: MIT or Apache-2.0 compatible
  • Activity: Updated within the last 6 months
  • No typosquatting: Manually verified against similar crate names

Disclosure Timeline

  1. Day 0 β€” Acknowledgment sent to reporter
  2. Day 7 β€” Severity and impact assessed
  3. Day 14 β€” Patch development begins
  4. Day 30 β€” Patch released
  5. Day 90 β€” Public disclosure (or earlier if patch is deployed)

Critical vulnerabilities (command injection, data exfiltration) will be fast-tracked.

Security Tooling

  • cargo audit β€” CVE scanning (runs in CI on every release)
  • cargo clippy β€” Lints for unsafe patterns
  • GitHub Dependabot β€” Automated dependency updates

Last updated: 2026-04-02

There aren’t any published security advisories