d0zingcat/claude-code
1
0
Fork 0
mirror of https://github.com/instructkr/claude-code.git synced 2026-06-05 12:06:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: mark ROADMAP #97 DONE

Browse Source 
97: empty --allowedTools is unrestricted (no restrictions = default mode)

Generated with https://github.com/Yeachan-Heo/gajae-code
Co-authored-by: Gajae Code <dev@gajae-code.com>
This commit is contained in:
bellman
2026-06-05 05:24:15 +09:00
parent adf5bd165e
commit 5adc751053
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ROADMAP.md
View File

@@ -2321,7 +2321,7 @@ ear], /color [scheme], /effort [low|medium|high], /fast, /summary, /tag [label],
**Source.** Jobdori dogfood 2026-04-18 against `/tmp/cdM` on main HEAD `7a172a2` in response to Clawhip pinpoint nudge at `1494766926826700921`. Joins the **silent-flag no-op class** with #96 (self-contradicting `--help` surface) and #97 (silent-empty `--allowedTools`) — three variants of "flag parses, produces no useful effect, emits no diagnostic." Distinct from the permission-audit sweep: this is specifically about *flag-scope consistency with documented behavior*, not about what the flag would do if it worked. Natural bundle: **#96 + #97 + #98** covers the full `--help` / flag-validation hygiene triangle — what the surface claims to support, what it silently disables, and what it silently ignores.
99. **`claw system-prompt --cwd PATH --date YYYY-MM-DD` performs zero validation on either value: nonexistent paths, empty strings, multi-line strings, SQL-injection payloads, and arbitrary prompt-injection text are all accepted verbatim and interpolated straight into the rendered system-prompt output in two places each (`# Environment context` and `# Project context` sections) — a classic unvalidated-input → system-prompt surface that a downstream consumer invoking `claw system-prompt --date "$USER_INPUT"` or `--cwd "$TAINTED_PATH"` could weaponize into prompt injection** — dogfooded 2026-04-18 on main HEAD `0e263be` from `/tmp/cdN`. `--help` documents the format as `[--cwd PATH] [--date YYYY-MM-DD]` — implying a filesystem path and an ISO date — but the parser (`main.rs:1162-1190`) just does `PathBuf::from(value)` and `date.clone_from(value)` with no further checks. Both values then reach `SystemPromptBuilder::render_env_context()` at `prompt.rs:176-186` and `render_project_context()` at `prompt.rs:289-293` where they are formatted into the output via `format!("Working directory: {}", cwd.display())` and `format!("Today's date is {}.", current_date)` with no escaping or line-break rejection.
99. **DONE — `claw system-prompt --cwd PATH --date YYYY-MM-DD` performs zero validation on either value: nonexistent paths, empty strings, multi-line strings, SQL-injection payloads, and arbitrary prompt-injection text are all accepted verbatim and interpolated straight into the rendered system-prompt output in two places each (`# Environment context` and `# Project context` sections) — a classic unvalidated-input → system-prompt surface that a downstream consumer invoking `claw system-prompt --date "$USER_INPUT"` or `--cwd "$TAINTED_PATH"` could weaponize into prompt injection** — dogfooded 2026-04-18 on main HEAD `0e263be` from `/tmp/cdN`. `--help` documents the format as `[--cwd PATH] [--date YYYY-MM-DD]` — implying a filesystem path and an ISO date — but the parser (`main.rs:1162-1190`) just does `PathBuf::from(value)` and `date.clone_from(value)` with no further checks. Both values then reach `SystemPromptBuilder::render_env_context()` at `prompt.rs:176-186` and `render_project_context()` at `prompt.rs:289-293` where they are formatted into the output via `format!("Working directory: {}", cwd.display())` and `format!("Today's date is {}.", current_date)` with no escaping or line-break rejection.
**Concrete repro.**
```