PyPI - plugin-scanner - Versions diffs - 2.0.83__tar.gz → 2.0.84__tar.gz - Mend

plugin-scanner 2.0.83tar.gz → 2.0.84tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.83
+Version: 2.0.84
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.83"
+version = "2.0.84"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.83"
+version = "2.0.84"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/src/codex_plugin_scanner/guard/cli/commands.py RENAMED Viewed

@@ -3816,7 +3816,13 @@ _CODEX_SEARCH_OPTION_VALUE_FLAGS = frozenset(
 _CODEX_SEARCH_OPTION_VALUE_FLAGS_BY_EXECUTABLE = {
     "rg": frozenset({"-T"}),
 }
-_CODEX_SEARCH_UNSAFE_FLAGS = frozenset({"--pre"})
+_CODEX_SEARCH_UNSAFE_FLAGS = frozenset({"--dereference-recursive", "--follow", "--pre"})
+_CODEX_SEARCH_UNSAFE_SHORT_FLAGS_BY_EXECUTABLE = {
+    "egrep": frozenset({"R"}),
+    "fgrep": frozenset({"R"}),
+    "grep": frozenset({"R"}),
+    "rg": frozenset({"L"}),
+}
 _CODEX_GIT_GLOBAL_VALUE_FLAGS = frozenset(
     {"-c", "--config-env", "--exec-path", "--git-dir", "--work-tree", "--namespace"}
 )
@@ -3988,6 +3994,7 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
     positional: list[str] = []
     skip_next = False
     pattern_from_option = False
+    after_option_terminator = False
     option_value_flags = _CODEX_SEARCH_OPTION_VALUE_FLAGS | _CODEX_SEARCH_OPTION_VALUE_FLAGS_BY_EXECUTABLE.get(
         executable, frozenset()
     )
@@ -3995,7 +4002,13 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
         if skip_next:
             skip_next = False
             continue
-        if arg in _CODEX_SEARCH_UNSAFE_FLAGS or any(arg.startswith(f"{flag}=") for flag in _CODEX_SEARCH_UNSAFE_FLAGS):
+        if after_option_terminator:
+            positional.append(arg)
+            continue
+        if arg == "--":
+            after_option_terminator = True
+            continue
+        if _codex_search_arg_is_unsafe(arg, executable=executable, option_value_flags=option_value_flags):
             return False
         if arg in _CODEX_SEARCH_PATTERN_VALUE_FLAGS:
             pattern_from_option = True
@@ -4012,8 +4025,6 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
             continue
         if any(arg.startswith(f"{flag}=") for flag in option_value_flags):
             continue
-        if arg == "--":
-            continue
         if arg.startswith("-"):
             continue
         positional.append(arg)
@@ -4026,6 +4037,22 @@ def _codex_search_targets_are_source_like(args: list[str], *, cwd: Path | None,
     return bool(targets) and all(_codex_search_target_is_source_like(target, cwd=cwd) for target in targets)
+def _codex_search_arg_is_unsafe(arg: str, *, executable: str, option_value_flags: frozenset[str]) -> bool:
+    if arg in _CODEX_SEARCH_UNSAFE_FLAGS:
+        return True
+    if any(arg.startswith(f"{flag}=") for flag in _CODEX_SEARCH_UNSAFE_FLAGS):
+        return True
+    if not arg.startswith("-") or arg.startswith("--"):
+        return False
+    unsafe_short_flags = _CODEX_SEARCH_UNSAFE_SHORT_FLAGS_BY_EXECUTABLE.get(executable, frozenset())
+    for flag in arg[1:]:
+        if flag in unsafe_short_flags:
+            return True
+        if f"-{flag}" in option_value_flags:
+            return False
+    return False
 def _codex_search_target_is_source_like(target: str, *, cwd: Path | None) -> bool:
     stripped = target.strip().strip("'\"")
     if not stripped:

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/src/codex_plugin_scanner/integrations/cisco_mcp_scanner.py RENAMED Viewed

@@ -47,6 +47,13 @@ class CiscoMcpScanSummary:
     scan_mode: str = "static"
+@dataclass(frozen=True, slots=True)
+class _StaticScanTarget:
+    read_path: Path
+    tool_name: str
+    content_type: str
 def _empty_counts() -> dict[str, int]:
     return {severity.value: 0 for severity in Severity}
@@ -235,15 +242,24 @@ def _normalize_finding(plugin_dir: Path, file_path: Path, finding: object) -> Fi
     )
-def _collect_static_targets(plugin_dir: Path) -> tuple[Path, ...]:
+def _collect_static_targets(plugin_dir: Path) -> tuple[_StaticScanTarget, ...]:
     config_path = plugin_dir / ".mcp.json"
-    if not config_path.is_file():
+    resolved_config_path = _safe_resolved_static_target(plugin_dir, config_path)
+    if resolved_config_path is None:
         return ()
-    targets: list[Path] = []
+    targets: list[_StaticScanTarget] = []
+    seen_targets: set[Path] = set()
     try:
-        if config_path.stat().st_size <= _MAX_TARGET_SIZE_BYTES:
-            targets.append(config_path)
+        if resolved_config_path.stat().st_size <= _MAX_TARGET_SIZE_BYTES:
+            targets.append(
+                _StaticScanTarget(
+                    read_path=resolved_config_path,
+                    tool_name=config_path.name,
+                    content_type="mcp-config",
+                )
+            )
+            seen_targets.add(resolved_config_path)
     except OSError:
         pass
     for root, dirs, files in os.walk(plugin_dir, topdown=True):
@@ -253,15 +269,40 @@ def _collect_static_targets(plugin_dir: Path) -> tuple[Path, ...]:
             file_path = current_dir / file_name
             if file_path == config_path or file_path.suffix.lower() not in _SOURCE_SUFFIXES:
                 continue
+            resolved_file_path = _safe_resolved_static_target(plugin_dir, file_path)
+            if resolved_file_path is None or resolved_file_path in seen_targets:
+                continue
             try:
-                if file_path.stat().st_size > _MAX_TARGET_SIZE_BYTES:
+                if resolved_file_path.stat().st_size > _MAX_TARGET_SIZE_BYTES:
                     continue
             except OSError:
                 continue
-            targets.append(file_path)
+            targets.append(
+                _StaticScanTarget(
+                    read_path=resolved_file_path,
+                    tool_name=resolved_file_path.name,
+                    content_type="mcp-source",
+                )
+            )
+            seen_targets.add(resolved_file_path)
     return tuple(targets)
+def _safe_resolved_static_target(plugin_dir: Path, target: Path) -> Path | None:
+    try:
+        resolved_root = plugin_dir.resolve(strict=True)
+        resolved_target = target.resolve(strict=True)
+        if not resolved_target.is_file():
+            return None
+    except (OSError, RuntimeError):
+        return None
+    try:
+        resolved_target.relative_to(resolved_root)
+    except ValueError:
+        return None
+    return resolved_target
 def _run_awaitable(awaitable: Awaitable[T]) -> T:
     try:
         asyncio.get_running_loop()
@@ -288,40 +329,41 @@ def _run_awaitable(awaitable: Awaitable[T]) -> T:
 async def _scan_targets(
-    plugin_dir: Path, targets: tuple[Path, ...], analyzer: object
+    plugin_dir: Path, targets: tuple[_StaticScanTarget, ...], analyzer: object
 ) -> tuple[tuple[Finding, ...], int]:
     findings: list[Finding] = []
     targets_scanned = 0
     for target in targets:
         try:
-            content = target.read_text(encoding="utf-8", errors="ignore")
+            content = target.read_path.read_text(encoding="utf-8", errors="ignore")
         except OSError:
             continue
-        content_type = "mcp-config" if target.name == ".mcp.json" else "mcp-source"
         external_findings = await analyzer.analyze(
             content,
             {
-                "tool_name": target.name,
-                "content_type": content_type,
-                "file_path": str(target),
+                "tool_name": target.tool_name,
+                "content_type": target.content_type,
+                "file_path": str(target.read_path),
             },
         )
         targets_scanned += 1
         for finding in external_findings:
-            findings.append(_normalize_finding(plugin_dir, target, finding))
+            findings.append(_normalize_finding(plugin_dir, target.read_path, finding))
     return tuple(findings), targets_scanned
 def run_cisco_mcp_scan(plugin_dir: Path, mode: str = "auto") -> CiscoMcpScanSummary:
     """Run Cisco MCP scanner static analysis when available."""
+    config_path = plugin_dir / ".mcp.json"
     if mode == "off":
         return _build_summary(
             status=CiscoIntegrationStatus.SKIPPED,
             message="Cisco MCP scanning disabled by configuration.",
         )
-    if not (plugin_dir / ".mcp.json").is_file():
+    if _safe_resolved_static_target(plugin_dir, config_path) is None:
         return _build_summary(
             status=CiscoIntegrationStatus.SKIPPED,
             message="No .mcp.json found; Cisco MCP scan skipped.",

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/src/codex_plugin_scanner/version.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Single source of truth for tool version."""
-__version__ = "2.0.83"
+__version__ = "2.0.84"

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/tests/test_guard_runtime.py RENAMED Viewed

@@ -541,6 +541,137 @@ Please investigate the bug end to end, fix the publish flow, and make sure user-
         assert output["recorded"] is True
         assert "approval_requests" not in output
+    def test_codex_post_tool_use_allows_short_option_value_payloads(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "rg -gLICENSE TOKEN src"},
+            "tool_response": {
+                "stdout": "src/config.ts:1:const auth_token = process.env.TOKEN",
+            },
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+        assert rc == 0
+        assert output["recorded"] is True
+        assert "approval_requests" not in output
+    def test_codex_post_tool_use_allows_double_dash_terminated_literal_pattern(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": "rg -- --follow src"},
+            "tool_response": {
+                "stdout": "src/config.ts:1:const auth_token = process.env.TOKEN",
+            },
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+        assert rc == 0
+        assert output["recorded"] is True
+        assert "approval_requests" not in output
+    @pytest.mark.parametrize(
+        "command",
+        (
+            "rg --follow TOKEN src",
+            "rg -L TOKEN src",
+            "grep -R TOKEN src",
+        ),
+    )
+    def test_codex_post_tool_use_blocks_symlink_following_source_search_flags(
+        self,
+        monkeypatch,
+        tmp_path,
+        capsys,
+        command: str,
+    ) -> None:
+        home_dir = tmp_path / "home"
+        workspace_dir = tmp_path / "workspace"
+        _build_guard_fixture(home_dir, workspace_dir)
+        secret_file = home_dir / ".aws" / "credentials"
+        _write_text(secret_file, "auth_token=outside-secret\n")
+        src_dir = workspace_dir / "src"
+        src_dir.mkdir()
+        (src_dir / "config.ts").symlink_to(secret_file)
+        event = {
+            "event": "PostToolUse",
+            "tool_name": "Bash",
+            "tool_input": {"command": command},
+            "tool_response": {
+                "stdout": "src/config.ts:1:auth_token=outside-secret",
+            },
+            "source_scope": "project",
+        }
+        monkeypatch.setattr(sys, "stdin", io.StringIO(json.dumps(event)))
+        rc = main(
+            [
+                "guard",
+                "hook",
+                "--home",
+                str(home_dir),
+                "--workspace",
+                str(workspace_dir),
+                "--harness",
+                "codex",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+        assert rc == 1
+        assert output["artifact_type"] == "tool_action_request"
+        assert output["approval_requests"]
     def test_codex_post_tool_use_allows_ripgrep_type_not_source_search(
         self,
         monkeypatch,

{plugin_scanner-2.0.83 → plugin_scanner-2.0.84}/tests/test_mcp_security.py RENAMED Viewed

@@ -103,6 +103,130 @@ def test_scan_includes_dist_descendants(monkeypatch, tmp_path: Path) -> None:
     assert any(path.endswith("dist/server.js") for path in analyzed_paths)
+def test_scan_skips_source_symlink_resolving_outside_plugin_root(monkeypatch, tmp_path: Path) -> None:
+    plugin_dir = tmp_path / "plugin"
+    _write_plugin(plugin_dir)
+    outside_secret = tmp_path / "outside.py"
+    outside_secret.write_text("auth_token = 'outside-secret'\n", encoding="utf-8")
+    (plugin_dir / "leak.py").symlink_to(outside_secret)
+    analyzed_paths: list[str] = []
+    analyzed_contents: list[str] = []
+    class RecordingYaraAnalyzer:
+        def __init__(self, *args: object, **kwargs: object) -> None:
+            return None
+        async def analyze(self, content: str, context: dict[str, Any] | None = None) -> list[FakeCiscoFinding]:
+            analyzed_paths.append(str((context or {}).get("file_path", "")))
+            analyzed_contents.append(content)
+            return []
+    monkeypatch.setattr(
+        "codex_plugin_scanner.integrations.cisco_mcp_scanner._load_mcp_scanner_components",
+        lambda: {"YaraAnalyzer": RecordingYaraAnalyzer},
+    )
+    summary = run_cisco_mcp_scan(plugin_dir, mode="on")
+    assert summary.status == CiscoIntegrationStatus.ENABLED
+    assert summary.targets_scanned == 2
+    assert str(plugin_dir / "leak.py") not in analyzed_paths
+    assert all("outside-secret" not in content for content in analyzed_contents)
+def test_scan_skips_symlinked_mcp_config_outside_plugin_root(monkeypatch, tmp_path: Path) -> None:
+    plugin_dir = tmp_path / "plugin"
+    _write_plugin(plugin_dir)
+    (plugin_dir / ".mcp.json").unlink()
+    outside_config = tmp_path / "outside-mcp.json"
+    outside_config.write_text(
+        json.dumps({"mcpServers": {"outside": {"command": "python", "args": ["secret.py"]}}}),
+        encoding="utf-8",
+    )
+    (plugin_dir / ".mcp.json").symlink_to(outside_config)
+    loader_state = {"called": False}
+    class RecordingYaraAnalyzer:
+        def __init__(self, *args: object, **kwargs: object) -> None:
+            return None
+    def _loader() -> dict[str, type[RecordingYaraAnalyzer]]:
+        loader_state["called"] = True
+        return {"YaraAnalyzer": RecordingYaraAnalyzer}
+    monkeypatch.setattr(
+        "codex_plugin_scanner.integrations.cisco_mcp_scanner._load_mcp_scanner_components",
+        _loader,
+    )
+    summary = run_cisco_mcp_scan(plugin_dir, mode="on")
+    assert summary.status == CiscoIntegrationStatus.SKIPPED
+    assert loader_state["called"] is False
+def test_scan_resolves_in_root_symlink_targets_before_analysis(monkeypatch, tmp_path: Path) -> None:
+    plugin_dir = tmp_path / "plugin"
+    _write_plugin(plugin_dir)
+    real_source = plugin_dir / "real.py"
+    real_source.write_text("print('real')\n", encoding="utf-8")
+    (plugin_dir / "link.py").symlink_to(real_source)
+    analyzed_paths: list[str] = []
+    class RecordingYaraAnalyzer:
+        def __init__(self, *args: object, **kwargs: object) -> None:
+            return None
+        async def analyze(self, content: str, context: dict[str, Any] | None = None) -> list[FakeCiscoFinding]:
+            analyzed_paths.append(str((context or {}).get("file_path", "")))
+            return []
+    monkeypatch.setattr(
+        "codex_plugin_scanner.integrations.cisco_mcp_scanner._load_mcp_scanner_components",
+        lambda: {"YaraAnalyzer": RecordingYaraAnalyzer},
+    )
+    summary = run_cisco_mcp_scan(plugin_dir, mode="on")
+    assert summary.status == CiscoIntegrationStatus.ENABLED
+    assert summary.targets_scanned == 3
+    assert str(real_source.resolve()) in analyzed_paths
+    assert str(plugin_dir / "link.py") not in analyzed_paths
+def test_scan_preserves_symlinked_mcp_config_identity(monkeypatch, tmp_path: Path) -> None:
+    plugin_dir = tmp_path / "plugin"
+    _write_plugin(plugin_dir)
+    real_config = plugin_dir / "configs" / "base.json"
+    real_config.parent.mkdir()
+    real_config.write_text(
+        json.dumps({"mcpServers": {"demo": {"command": "python", "args": ["server.py"]}}}),
+        encoding="utf-8",
+    )
+    (plugin_dir / ".mcp.json").unlink()
+    (plugin_dir / ".mcp.json").symlink_to(real_config)
+    analyzed_contexts: list[dict[str, Any]] = []
+    class RecordingYaraAnalyzer:
+        def __init__(self, *args: object, **kwargs: object) -> None:
+            return None
+        async def analyze(self, content: str, context: dict[str, Any] | None = None) -> list[FakeCiscoFinding]:
+            analyzed_contexts.append(dict(context or {}))
+            return []
+    monkeypatch.setattr(
+        "codex_plugin_scanner.integrations.cisco_mcp_scanner._load_mcp_scanner_components",
+        lambda: {"YaraAnalyzer": RecordingYaraAnalyzer},
+    )
+    summary = run_cisco_mcp_scan(plugin_dir, mode="on")
+    assert summary.status == CiscoIntegrationStatus.ENABLED
+    assert analyzed_contexts[0]["tool_name"] == ".mcp.json"
+    assert analyzed_contexts[0]["content_type"] == "mcp-config"
 def test_mcp_security_auto_mode_unavailable_is_not_applicable(monkeypatch, tmp_path: Path) -> None:
     plugin_dir = tmp_path / "plugin"
     _write_plugin(plugin_dir)