Skip to content

fix(hook): prevent flag injection in rtk-rewrite hooks (#1350)#1370

Open
ousamabenyounes wants to merge 1 commit intortk-ai:developfrom
ousamabenyounes:fix/issue-1350
Open

fix(hook): prevent flag injection in rtk-rewrite hooks (#1350)#1370
ousamabenyounes wants to merge 1 commit intortk-ai:developfrom
ousamabenyounes:fix/issue-1350

Conversation

@ousamabenyounes
Copy link
Copy Markdown
Contributor

Summary

Fixes #1350.

  • Add -- end-of-options terminator before "$CMD" in hooks/claude/rtk-rewrite.sh:55 and hooks/cursor/rtk-rewrite.sh:43 (same bug in both hooks).
  • An LLM-generated command starting with -/-- (e.g. --help) would otherwise be intercepted by clap as a flag to rtk rewrite, causing the help text to be emitted as the "rewritten" command and fed back to the agent for shell execution.
  • Adding -- makes clap treat $CMD as a positional argument, closing the injection path.

Test plan

  • cargo fmt --all --check && cargo clippy --all-targets && cargo test — 1591 passed, 6 ignored (baseline was 1590 pass, +1 from new test)
  • New Rust CLI parser test test_rewrite_clap_double_dash_blocks_flag_injection covers --help, -h, --version, -V
  • New bash regression tests in hooks/claude/test-rtk-rewrite.sh (5 flag-injection cases, all pass against the patched hook)
  • Manual verification: rtk rewrite "--help" emits help text (bug), rtk rewrite -- "--help" emits nothing with exit 1 (fix)

Files changed

File Change
hooks/claude/rtk-rewrite.sh Add -- before "$CMD" + comment explaining why
hooks/cursor/rtk-rewrite.sh Same fix for the Cursor hook (identical bug)
hooks/claude/test-rtk-rewrite.sh 5 new bash tests under "Flag injection safety (#1350)"
src/main.rs 1 new #[test] verifying clap + -- behavior for Commands::Rewrite

Notes

  • Pre-existing bash hook test failures (7 audit-logging + 1 compound-command) are unrelated and reproduce on develop without this PR.
  • No CHANGELOG.md edits — release-please manages it.

Generated by Claude Code

Before this change, the Claude and Cursor rewrite hooks called
`rtk rewrite "$CMD"` without a `--` terminator. An LLM-generated command
starting with `-`/`--` (e.g. "--help") would be intercepted by clap as a
flag to the `rewrite` subcommand, causing the help text to be emitted as
the "rewritten" command and fed back to the agent, which would then
shell-execute the help-text content.

Adding `--` makes clap treat `$CMD` as a positional argument so no
flag-injection is possible. New tests exercise `--help`, `-h`, `--version`,
and `-V` at both the CLI parser level (Rust) and the hook level (bash).

Co-Authored-By: Claude <noreply@anthropic.com>
@pszymkowiak pszymkowiak added bug Something isn't working effort-small Quelques heures, 1 fichier labels Apr 17, 2026
@pszymkowiak
Copy link
Copy Markdown
Collaborator

[w] wshm · Automated triage by AI

📊 Automated PR Analysis

🐛 Type bug-fix
🟢 Risk low

Summary

Fixes a flag injection vulnerability in rtk-rewrite hooks where an LLM-generated command starting with '-' or '--' (e.g. '--help') would be interpreted by clap as a flag to rtk rewrite, causing help text to be emitted as the rewritten command and shell-executed by the agent. The fix adds a -- end-of-options terminator before the command argument in both the Claude and Cursor hook scripts.

Review Checklist

  • Tests present
  • Breaking change
  • Docs updated

Linked issues: #1350


Analyzed automatically by wshm · This is an automated analysis, not a human review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working effort-small Quelques heures, 1 fichier

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants