Class: Rules::IdeConfigInjection

Inherits:
Base
  • Object
show all
Defined in:
lib/rules/ide_config_injection.rb

Constant Summary collapse

WRITE_PATTERN = 
/(echo|cat|tee|printf|cp|mv|install|sed|>|>>).*\.(claude|vscode|cursor)\//

Instance Method Summary collapse

Instance Method Details

#check(workflow) ⇒ Object 



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/rules/ide_config_injection.rb', line 9

def check(workflow)
    findings = []

    workflow.raw_lines.each_with_index do |line, i|
        next if line.strip.start_with?("#")

        if line.match?(WRITE_PATTERN)
            findings << finding(workflow,
                line: i + 1,
                code: line.strip,
                message: "Workflow writes to IDE/AI config files — can execute arbitrary code on project open",
                fix: "Remove IDE config file writes from workflows, or validate content before writing"
            )
        end
    end

    findings
end

#descriptionObject 



4
 
# File 'lib/rules/ide_config_injection.rb', line 4

def description = "Workflow writes to IDE/AI agent config files that auto-execute code"

#nameObject 



3
 
# File 'lib/rules/ide_config_injection.rb', line 3

def name = "ide-config-injection"

#severityObject 



5
 
# File 'lib/rules/ide_config_injection.rb', line 5

def severity = :critical