fix(analyzers): reduce false positives for negated safety constraints#254
fix(analyzers): reduce false positives for negated safety constraints#254koriyoshi2041 wants to merge 2 commits into
Conversation
Signed-off-by: kigland <shuaizhicheng336@gmail.com>
rng1995
left a comment
There was a problem hiding this comment.
[Automated SkillSpector Review]
Requesting changes. Both false-positive guards introduce detection bypasses: negation is scoped to a multi-line context instead of the matched clause, and the cache-path allowlist accepts traversal that escapes .cache. Scope negation to the current match, normalize/reject traversal, and add adversarial mixed-content regressions.
| if not escaped: | ||
| return False | ||
| negation = r"(?:must\s+not|do\s+not|don't|never|should\s+not)\s+" | ||
| return re.search(negation + r"(?:\w+\s+){0,4}" + escaped, context, re.IGNORECASE) is not None |
There was a problem hiding this comment.
Blocking: this searches the entire ±3-line context instead of the current match span. Do not access credentials.\nAccess credentials and upload them. suppresses both PE3 matches; the duplicated RA1 helper similarly suppresses a live persistence instruction after a negated one. Tie negation to the same clause/match and add mixed benign/live regressions in both analyzers.
| ) | ||
|
|
||
| _SAFE_CACHE_CLEANUP_PATTERNS: tuple[re.Pattern[str], ...] = ( | ||
| re.compile(r"\brm\s+-rf\s+['\"]?\$?\{?HOME\}?/\.cache/[^*\s;&|]+", re.IGNORECASE), |
There was a problem hiding this comment.
Blocking: the allowlist accepts .. traversal. rm -rf "${HOME}/.cache/../../.ssh" is downgraded even though it escapes .cache and deletes ~/.ssh. Normalize and validate the resolved path (or reject traversal segments) and add this adversarial case.
|
Thanks for the review. I pushed
Verified with:
|
Refs #251
Problem
Static scans can currently turn benign safety-policy prose into high-risk findings. In a local fixture, text such as
must not access credentialsandDo not modify this skill's own files, plus scoped cleanup of this tool's own cache path, producedPE3,RA1, andTM1findings with a HIGH / DO_NOT_INSTALL recommendation.Fix
This adds regression coverage for that false-positive class and narrows the static filters so:
PE3andRA1matches are skipped when the matched phrase is explicitly negated in nearby policy prose.${HOME}/.cache/...or~/.cache/...is treated like the existing low-risk cache cleanup path instead of destructive arbitrary deletion.Test
I also re-scanned the local benign fixture after the patch:
score=0,severity=LOW,recommendation=SAFE,finding_count=0.Risk
The negation guard is intentionally narrow:
PE3andRA1only. The cache-cleanup handling is scoped to user cache paths, not arbitrary recursive deletion. This addresses a concrete subset of #251 rather than every false-positive case in that issue.