Summary
CodeLens handles untrusted file paths and source code but lacks several security hardening features. Add path traversal protection, config secret redaction, git safety guard (block destructive commands from AI agents), Secretlint integration for pack output, and LLM output schema validation.
Worker consensus (5 reports)
| Worker |
Source |
Contribution |
| CodeGraph |
update!/CodeLens_CodeGraph_Upgrade_Analysis.md #17 |
Path traversal protection (resolve symlinks via os.path.realpath, refuse reads outside project root). Config secret redaction (index Spring application.properties / Shopify {% schema %} by key only, never value). New PathRefusalError exception class. |
| UBS |
update!/CodeLens_UBS_Upgrade_Analysis.md #5 |
Git safety guard — scripts/git_safety_guard.py intercepts shell commands before execution, blocks git reset --hard, git push --force, git checkout -- <file>, git clean -fd, rm -rf (non-temp), git branch -D, git stash drop/clear. Allow rm -rf only for ${TMPDIR}/, /tmp/, /var/tmp/. CODELENS_SKIP_SAFETY_GUARD=1 bypass. Audit log at ~/.codelens/safety-guard.log. |
| Repomix |
update!/CodeLens_vs_Repomix_Upgrade_Analysis.md R9 |
Secretlint integration — @secretlint/secretlint-rule-preset-recommend (~20 rules for AWS key, Google API, Slack, Stripe, GitHub, private key, DB URL, high-entropy). Auto-exclude files containing secrets from pack output. |
| Repomix |
same file R7 |
File system MCP tools (file_system_read_file, file_system_read_directory) with Secretlint validation, refuse relative path, refuse path traversal ... |
| UnderstandAnything |
update!/CodeLens_vs_UnderstandAnything_Upgrade_Analysis.md U7 |
Schema validation & auto-fix for LLM output — sanitize_graph(), auto_fix_graph(), validate_graph(). Issue levels: auto-corrected, error, fatal. Categories: missing-field, alias, type-coercion, dangling-reference, invalid-enum. |
| OpenTaint |
update!/CodeLens_vs_OpenTaint_Upgrade_Analysis.md C3 |
PoC generation (dynamic vulnerability confirmation) — codelens generate-poc <finding-name> auto-starts app, sends payloads per vuln class (SQLi, CMDi, path traversal, XSS, SSRF, XXE), asserts observable evidence. Bind 127.0.0.1 only (security). |
Proposed scope (P1, 4-6 weeks total)
Phase 1 — Path traversal protection (P1, 3 days)
os.path.realpath(path) to resolve symlinks- Refuse reads whose real location is outside project root
- Still allow symlinks that stay within project
- Apply to all MCP tools returning file content
- New
PathRefusalError exception class
- New file:
scripts/security/path_traversal.py
Phase 2 — Config secret redaction (P1, 1 week)
- Index Spring
application.properties / application.yml by key only (never value)
- Index Shopify Liquid
{% schema %} blocks by name only
- Apply in extraction layer (don't store value in DB)
- Agent that needs value reads the file itself
- New file:
scripts/security/config_secret_redaction.py
Phase 3 — Git safety guard (P1, 1-2 weeks)
- New
scripts/git_safety_guard.py
- Intercept shell commands before execution (via Claude Code hooks AND
guard --pre --command <shell-cmd>)
- Blocked commands:
git reset --hard, git push --force, git checkout -- <file>, git clean -fd, rm -rf (non-temp), git branch -D, git stash drop/clear
- Allow
rm -rf only for ${TMPDIR}/, /tmp/, /var/tmp/
- Actionable error messages (reason + safe alternative)
CODELENS_SKIP_SAFETY_GUARD=1 bypass- Audit log at
~/.codelens/safety-guard.log
- Extend
guard command with --command <shell-cmd> flag
Phase 4 — Secretlint integration for pack (P1, 1-2 weeks, depends on pack command issue)
- Two options: (1) Python binding for Secretlint via Node.js subprocess, OR (2) port Secretlint rules to Python regex/YAML
- ~20 rules for AWS key, Google API, Slack, Stripe, GitHub, private key, DB URL, high-entropy
- Default enabled,
--no-security-check to disable
- Auto-exclude files containing secrets from
pack output
- Run as background thread for non-blocking
- Alternative: integrate
detect-secrets (Yelp Python library) for pure-Python approach
Phase 5 — File system MCP tools (P1, 3-5 days)
- New
file_system_read_file MCP tool (with Secretlint validation from Phase 4)
- New
file_system_read_directory MCP tool (list with [FILE]/[DIR] indicator, sorted)
- Refuse relative path, refuse path traversal
..
Phase 6 — LLM output schema validation (P2, 1 week, depends on LLM integration issue)
sanitize_graph(), auto_fix_graph(), validate_graph() in scripts/knowledge_graph_schema.py- Issue levels:
auto-corrected, error, fatal
- Categories:
missing-field, alias, type-coercion, dangling-reference, invalid-enum
- Validation report in output:
{status, stats, issues[], recommendations}
- Test fixtures at
tests/fixtures/llm-output-variation/
Phase 7 — PoC generation (P3, 3-4 weeks, optional)
codelens generate-poc <finding-name> command- Auto-starts app if no
--base-url (detects framework: Django, Flask, Express, FastAPI)
- Binds
127.0.0.1 only (refuses public interface without --allow-public-bind)
- Payload library per vuln class: SQLi, CMDi, path traversal, XSS, SSRF, XXE
- Assertion engine checks observable evidence (HTTP response, OOB callback)
- Output
.codelens/pocs/<finding_name>.py (self-contained, re-runnable)
codelens poc-teardown stops all registered instances
Acceptance criteria
Files
- New:
scripts/security/{path_traversal,config_secret_redaction}.py, scripts/git_safety_guard.py, scripts/secrets_integration.py (or extend secrets_engine.py), scripts/commands/{generate_poc,poc_teardown}.py, scripts/poc_engine.py, scripts/knowledge_graph_schema.py (validation functions)
- Update:
scripts/commands/guard.py (add --command flag), scripts/mcp_server.py (new file system tools)
Summary
CodeLens handles untrusted file paths and source code but lacks several security hardening features. Add path traversal protection, config secret redaction, git safety guard (block destructive commands from AI agents), Secretlint integration for
packoutput, and LLM output schema validation.Worker consensus (5 reports)
update!/CodeLens_CodeGraph_Upgrade_Analysis.md#17os.path.realpath, refuse reads outside project root). Config secret redaction (index Springapplication.properties/ Shopify{% schema %}by key only, never value). NewPathRefusalErrorexception class.update!/CodeLens_UBS_Upgrade_Analysis.md#5scripts/git_safety_guard.pyintercepts shell commands before execution, blocksgit reset --hard,git push --force,git checkout -- <file>,git clean -fd,rm -rf(non-temp),git branch -D,git stash drop/clear. Allowrm -rfonly for${TMPDIR}/,/tmp/,/var/tmp/.CODELENS_SKIP_SAFETY_GUARD=1bypass. Audit log at~/.codelens/safety-guard.log.update!/CodeLens_vs_Repomix_Upgrade_Analysis.mdR9@secretlint/secretlint-rule-preset-recommend(~20 rules for AWS key, Google API, Slack, Stripe, GitHub, private key, DB URL, high-entropy). Auto-exclude files containing secrets frompackoutput.file_system_read_file,file_system_read_directory) with Secretlint validation, refuse relative path, refuse path traversal...update!/CodeLens_vs_UnderstandAnything_Upgrade_Analysis.mdU7sanitize_graph(),auto_fix_graph(),validate_graph(). Issue levels:auto-corrected,error,fatal. Categories:missing-field,alias,type-coercion,dangling-reference,invalid-enum.update!/CodeLens_vs_OpenTaint_Upgrade_Analysis.mdC3codelens generate-poc <finding-name>auto-starts app, sends payloads per vuln class (SQLi, CMDi, path traversal, XSS, SSRF, XXE), asserts observable evidence. Bind127.0.0.1only (security).Proposed scope (P1, 4-6 weeks total)
Phase 1 — Path traversal protection (P1, 3 days)
os.path.realpath(path)to resolve symlinksPathRefusalErrorexception classscripts/security/path_traversal.pyPhase 2 — Config secret redaction (P1, 1 week)
application.properties/application.ymlby key only (never value){% schema %}blocks by name onlyscripts/security/config_secret_redaction.pyPhase 3 — Git safety guard (P1, 1-2 weeks)
scripts/git_safety_guard.pyguard --pre --command <shell-cmd>)git reset --hard,git push --force,git checkout -- <file>,git clean -fd,rm -rf(non-temp),git branch -D,git stash drop/clearrm -rfonly for${TMPDIR}/,/tmp/,/var/tmp/CODELENS_SKIP_SAFETY_GUARD=1bypass~/.codelens/safety-guard.logguardcommand with--command <shell-cmd>flagPhase 4 — Secretlint integration for
pack(P1, 1-2 weeks, depends onpackcommand issue)--no-security-checkto disablepackoutputdetect-secrets(Yelp Python library) for pure-Python approachPhase 5 — File system MCP tools (P1, 3-5 days)
file_system_read_fileMCP tool (with Secretlint validation from Phase 4)file_system_read_directoryMCP tool (list with[FILE]/[DIR]indicator, sorted)..Phase 6 — LLM output schema validation (P2, 1 week, depends on LLM integration issue)
sanitize_graph(),auto_fix_graph(),validate_graph()inscripts/knowledge_graph_schema.pyauto-corrected,error,fatalmissing-field,alias,type-coercion,dangling-reference,invalid-enum{status, stats, issues[], recommendations}tests/fixtures/llm-output-variation/Phase 7 — PoC generation (P3, 3-4 weeks, optional)
codelens generate-poc <finding-name>command--base-url(detects framework: Django, Flask, Express, FastAPI)127.0.0.1only (refuses public interface without--allow-public-bind).codelens/pocs/<finding_name>.py(self-contained, re-runnable)codelens poc-teardownstops all registered instancesAcceptance criteria
application.propertiesvalues never appear in registrygit reset --hardblocked with actionable errorpackoutput is detected and excludedFiles
scripts/security/{path_traversal,config_secret_redaction}.py,scripts/git_safety_guard.py,scripts/secrets_integration.py(or extendsecrets_engine.py),scripts/commands/{generate_poc,poc_teardown}.py,scripts/poc_engine.py,scripts/knowledge_graph_schema.py(validation functions)scripts/commands/guard.py(add--commandflag),scripts/mcp_server.py(new file system tools)