fix(security): pin gate-file integrity — pre-push hook can't run branch-controlled RCE (audit 2e-01)#50
Merged
Merged
Conversation
… branch-controlled RCE
GPT-5.5 adversarial audit finding 2e-01 (High, contributor-workflow RCE). The
installed .git/hooks/pre-push delegated straight into the TRACKED .githooks/pre-push,
which runs .verax/gate.json's cmd fields via 'verax pipeline'. Both files are
branch-controlled, so a developer who had the gate installed and then checked out a
malicious branch would execute arbitrary commands on 'git push' (verified repro: a
gate.json with {"cmd":"cmd /c echo owned>poc.txt"} wrote the file through the bare
delegate).
Fix (GPT's recommended shape): at install time, hash .githooks/pre-push and
.verax/gate.json and store the hashes UNTRACKED in the common git dir
(.git/verax-gate.pin, which a branch cannot alter). The installed hook now verifies
both files against their pins BEFORE delegating and REFUSES (fail-closed) on any
drift, a missing pin, or an unhashable file. Legitimate gate changes surface a loud
're-run tools/install-gate.sh to re-pin' prompt after the developer reviews the diff;
an attacker's silent swap can never execute. Pin lives in --git-common-dir so one
install covers every linked worktree (shared hooks).
Verified: tamper gate.json -> REFUSING, exit 1, poc file NOT created; tamper
pre-push -> REFUSING; missing pin -> REFUSING; unchanged -> delegates normally.
Note: this is repo dev-tooling — it does NOT ship in any published crate
(cargo package --list confirms .githooks/.verax/tools are absent), so no released
artifact was ever affected. Same install-gate.sh pattern exists in other fleet repos;
propagate there.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the sole GPT-5.5 adversarial-audit finding on the 0.8.6 candidate (2e-01, High — contributor-workflow RCE).
The bug (CONFIRMED against live code)
The installed
.git/hooks/pre-pushdelegated straight into the tracked.githooks/pre-push, which runs the tracked.verax/gate.jsoncmdfields viaverax pipeline. Both files are branch-controlled, so a developer who had the gate installed and then checked out a malicious branch would execute arbitrary commands on the nextgit push. Repro (verified): a gate spec{"cmd":"cmd /c echo owned>poc.txt"}wrote the file through the bare delegate.Scope (the honest calibration)
cargo package --listforvictauri-pluginandvictauri-cliconfirms.githooks/,.verax/, andtools/ship in no published crate — so no released artifact was ever affected. This is repo dev-tooling, reachable only by a maintainer building an untrusted PR branch locally. Real, and worth fixing before we open to contributions — fixed rather than waived.The fix (hash-pin, fail-closed)
tools/install-gate.shnow hashes.githooks/pre-push+.verax/gate.jsonat install time (sha256,git hash-objectfallback) and stores the hashes untracked in.git/verax-gate.pin(a branch cannot alter it; placed in--git-common-dirso one install covers all linked worktrees). The installed hook verifies both files against their pins before delegating and REFUSES (fail-closed) on any drift, a missing pin, or an unhashable file. Legitimate gate changes get a loud "review the diff, then re-run tools/install-gate.sh to re-pin" — an attacker's silent swap never runs.Verified (4 cases)
gate.jsonwith the exact repro spec → REFUSING, exit 1, poc file NOT created;.githooks/pre-push→ REFUSING;Residual (disclosed)
The same
install-gate.sh+.githooks/pre-pushpattern exists in other Verax fleet repos — propagate this fix there (separate working trees, out of scope for this PR).🤖 Generated with Claude Code
https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5