fix(security): SHA fail-closed install + .mdc rule scan + rollback path traversal#1
Open
aaronjmars wants to merge 1 commit into
Conversation
1. upgrade.py / install_extras.py: fail-closed sha verification
- Refuse to apply when MANIFEST.sha256 is missing
- Refuse pack-owned sources that aren't listed in the manifest
- Previously these paths warned and copied anyway, allowing a tampered
source to install if the attacker also dropped its line from the
manifest (or removed the manifest entirely).
2. scan_agent_safety.py: scan .mdc rules + force-include templates/rules/
- Add .mdc and .mdc.template to the agent-suffix set
- Force-include templates/rules/protocol-enforcement.mdc even though
the parent 'templates/' directory remains in the default exclude list
(the file is pack-owned, copied into .cursor/rules/, and loads with
alwaysApply: true on every Cursor session)
3. upgrade.py rollback(): refuse path-traversal in tar member names and
creation entries; refuse symlinks. Previously a poisoned snapshot
tarball or sidecar JSON could write/delete files outside project_root.
No public PR opened; advisory link will go in the PVR body.
Author
|
Friendly bump — three small hardening items: SHA fail-closed install, |
Author
|
Friendly bump — three small hardening items in this first PR on the repo: SHA fail-closed install, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three issues from the same scan, sharing an attack root (a malicious or tampered "pack"). Bundled here because the fixes are small and inter-related, but happy to split into 3 PRs if you'd prefer.
1. SHA fail-open in
install_extras.py/upgrade.py(CWE-345 — CRITICAL)Pack installation accepts pack-owned files when
MANIFEST.sha256is missing or doesn't list the file (warned + copied anyway). A tampered pack can drop a malicious file + delete its manifest line and the installer ships it.Fix: refuse to install when manifest is missing or when a pack-owned source isn't listed. Fail-closed.
2.
.mdcrules excluded from agent-safety scan (CWE-693 — HIGH)scan_agent_safety.pydoesn't scan.mdc(Cursor rules).templates/rules/protocol-enforcement.mdcis loaded by Cursor withalwaysApply: trueevery session — anything injected here runs as a protocol on every agent start.Fix: add
.mdc/.mdc.templateto the scanned suffix set, force-includetemplates/rules/protocol-enforcement.mdceven thoughtemplates/is otherwise excluded by default.3.
upgrade.py rollback()path traversal (CWE-22 — MEDIUM/HIGH)Snapshot tarball extracted without validating member names; sidecar JSON "creation entries" applied without bounding paths. A poisoned snapshot can write/delete files outside
project_root(../../.bashrc, absolute paths, symlinks).Fix: reject
../ absolute / symlink members on both extraction and creation paths.Patch
install_extras.py(+17 / −6)scan_agent_safety.py(+45 / −5)upgrade.py(+62 / −14)Coordination
Originally queued as a PVR draft on 2026-05-02 — no PVR endpoint was actually available, opening as a public PR. Happy to take down + re-file privately if you'd prefer.
Filed by aaronjmars (vuln-scanner).