test: path traversal adversarial corpus + prompt trust annotation#74
test: path traversal adversarial corpus + prompt trust annotation#74Nelson Spence (Fieldnote-Echo) wants to merge 1 commit intomainfrom
Conversation
Add parametrized adversarial path corpus testing 10+ traversal vectors: - Unix multi-level traversal (../../, ../../../) - Windows backslash traversal (..\..\) - Mid-path breakout (src/../../../) - Absolute paths (/etc/passwd, /tmp/evil.py) - Symlink traversal (symlink pointing outside repo root) - Null byte injection (main\x00.py) - Both read_file and list_files tools covered Also annotate graph-derived file context as non-privileged in system-core.md prompt (F-PR-002) — explicit prompt text, not HTML comment. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
project-navi-bot
left a comment
project-navi-bot
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
project-navi-bot
left a comment
project-navi-bot
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -346,6 +346,91 @@ def test_read_file_rejects_prefix_bypass(self, tmp_path: Path) -> None: | |||
| assert "path traversal not allowed" in result.lower() | |||
There was a problem hiding this comment.
🔵 LOW: Extensive adversarial path traversal corpus added to tests
Confidence: 95%
A new class of parametrized tests for adversarial path traversal was added, covering Unix/Windows traversal, absolute/symlink paths, and null byte handling. These tests validate that the core path safety checks in read_file and list_files adequately reject traversal attempts or error safely. This helps future-proof against regression but also highlights attack vectors developers should remain vigilant about.
Suggestion: Continue maintaining and expanding these adversarial path tests as new codebase access features are introduced, and adapt them if rejection logic changes. Periodically audit for new traversal patterns or bypasses as the code or OS support evolves.
— Not wrong, but there's a simpler way. Still�3this hardening is worth the slight verbosity.
| @@ -62,10 +62,10 @@ You will receive: | |||
| - **Governance rules** (YAML) — trusted, from version-controlled config | |||
There was a problem hiding this comment.
🔵 LOW: Prompt trust annotation updated for file context
Confidence: 93%
The documentation for file context in the primary system prompt has been updated: file context is now clearly annotated as non-privileged reference material rather than trusted input. This is important for prompt governance, as it enforces clear trust boundaries between sources of evidence used in analysis versus privileged, version-controlled configuration.
Suggestion: Make sure all tooling and documentation referencing 'file context' reflect this annotation. Continue differentiating between trusted and non-trusted sources across documentation to avoid privilege escalation vulnerabilities via prompt injection.
— Minor governance note. Not blocking. The rules say trust, you say reference. Reference is safer.
✅ Grippy Review — PASSScore: 96/100 | Findings: 2 Delta: 2 new Commit: 8268a01 |
project-navi-bot
left a comment
project-navi-bot
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
project-navi-bot
left a comment
project-navi-bot
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
project-navi-bot
left a comment
project-navi-bot
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
2 participants
Summary
CodebaseToolkit— parametrized tests covering:read_fileandlist_filesrejection pathssystem-core.mdtrust annotation — graph-derived file context now explicitly labeled as non-privileged reference material (not[UNTRUSTED]HTML comment)Audit Context
Test plan
uv run pytest tests/test_grippy_codebase.py -v— all passuv run pytest tests/ -v— full suite passes🤖 Generated with Claude Code