Skip to content

fix(security): pin gate-file integrity — pre-push hook can't run branch-controlled RCE (audit 2e-01)#50

Merged
runyourempire merged 1 commit into
mainfrom
fix/gate-hook-rce
Jul 4, 2026
Merged

fix(security): pin gate-file integrity — pre-push hook can't run branch-controlled RCE (audit 2e-01)#50
runyourempire merged 1 commit into
mainfrom
fix/gate-hook-rce

Conversation

@runyourempire

Copy link
Copy Markdown
Collaborator

Closes the sole GPT-5.5 adversarial-audit finding on the 0.8.6 candidate (2e-01, High — contributor-workflow RCE).

The bug (CONFIRMED against live code)

The installed .git/hooks/pre-push delegated straight into the tracked .githooks/pre-push, which runs the tracked .verax/gate.json cmd fields via verax pipeline. Both files are branch-controlled, so a developer who had the gate installed and then checked out a malicious branch would execute arbitrary commands on the next git push. Repro (verified): a gate spec {"cmd":"cmd /c echo owned>poc.txt"} wrote the file through the bare delegate.

Scope (the honest calibration)

cargo package --list for victauri-plugin and victauri-cli confirms .githooks/, .verax/, and tools/ ship in no published crate — so no released artifact was ever affected. This is repo dev-tooling, reachable only by a maintainer building an untrusted PR branch locally. Real, and worth fixing before we open to contributions — fixed rather than waived.

The fix (hash-pin, fail-closed)

tools/install-gate.sh now hashes .githooks/pre-push + .verax/gate.json at install time (sha256, git hash-object fallback) and stores the hashes untracked in .git/verax-gate.pin (a branch cannot alter it; placed in --git-common-dir so one install covers all linked worktrees). The installed hook verifies both files against their pins before delegating and REFUSES (fail-closed) on any drift, a missing pin, or an unhashable file. Legitimate gate changes get a loud "review the diff, then re-run tools/install-gate.sh to re-pin" — an attacker's silent swap never runs.

Verified (4 cases)

  1. unchanged files → delegates normally (this PR's own push proved the positive path live);
  2. tamper gate.json with the exact repro spec → REFUSING, exit 1, poc file NOT created;
  3. tamper .githooks/pre-push → REFUSING;
  4. missing pin → REFUSING.

Residual (disclosed)

The same install-gate.sh + .githooks/pre-push pattern exists in other Verax fleet repos — propagate this fix there (separate working trees, out of scope for this PR).

🤖 Generated with Claude Code

https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5

… branch-controlled RCE

GPT-5.5 adversarial audit finding 2e-01 (High, contributor-workflow RCE). The
installed .git/hooks/pre-push delegated straight into the TRACKED .githooks/pre-push,
which runs .verax/gate.json's cmd fields via 'verax pipeline'. Both files are
branch-controlled, so a developer who had the gate installed and then checked out a
malicious branch would execute arbitrary commands on 'git push' (verified repro: a
gate.json with {"cmd":"cmd /c echo owned>poc.txt"} wrote the file through the bare
delegate).

Fix (GPT's recommended shape): at install time, hash .githooks/pre-push and
.verax/gate.json and store the hashes UNTRACKED in the common git dir
(.git/verax-gate.pin, which a branch cannot alter). The installed hook now verifies
both files against their pins BEFORE delegating and REFUSES (fail-closed) on any
drift, a missing pin, or an unhashable file. Legitimate gate changes surface a loud
're-run tools/install-gate.sh to re-pin' prompt after the developer reviews the diff;
an attacker's silent swap can never execute. Pin lives in --git-common-dir so one
install covers every linked worktree (shared hooks).

Verified: tamper gate.json -> REFUSING, exit 1, poc file NOT created; tamper
pre-push -> REFUSING; missing pin -> REFUSING; unchanged -> delegates normally.

Note: this is repo dev-tooling — it does NOT ship in any published crate
(cargo package --list confirms .githooks/.verax/tools are absent), so no released
artifact was ever affected. Same install-gate.sh pattern exists in other fleet repos;
propagate there.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CsePmfHDMBKRNDLNb3TLD5
@runyourempire runyourempire merged commit 3b98a77 into main Jul 4, 2026
21 checks passed
@runyourempire runyourempire deleted the fix/gate-hook-rce branch July 4, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant