Target: hooks/learning-loop/post_tool_learning.py
Scope: Fix blockers + expand pattern coverage
Problem: Lines like # eval() is dangerous trigger warnings
Solution: Add comment filtering in _get_added_lines() or analyze_edit()
def _is_comment_line(line: str) -> bool:
"""Check if line is a comment (Python, JS, shell, etc.)"""
stripped = line.strip()
return (
stripped.startswith('#') or # Python, shell
stripped.startswith('//') or # JS, C, Go
stripped.startswith('*') or # Multi-line comment body
stripped.startswith('/*') or # C-style start
stripped.startswith('"""') or # Docstring
stripped.startswith("'''") # Docstring
)Integration point: Filter in _get_added_lines() before returning
Problem: print("password: admin") not detected
Current pattern:
["\']?password["\']?\s*[:=]\s*["\'][^"\']+["\']Enhanced patterns (add alternatives):
# Pattern 1: Assignment style (existing)
r'["\']?password["\']?\s*[:=]\s*["\'][^"\']+["\']'
# Pattern 2: Colon inside string (password: value)
r'["\']password:\s*[^"\']{3,}["\']'
# Pattern 3: Password as function arg with value
r'password\s*=\s*["\'][^"\']+["\']'
# Pattern 4: JSON-style "password": "value"
r'"password"\s*:\s*"[^"]+"'Also add secret detection for:
secret,token,credential,auth
-
Insecure Deserialization
(r'pickle\.loads?\s*\(', 'pickle.load/loads - insecure deserialization risk') (r'yaml\.load\s*\([^)]*\)', 'yaml.load without SafeLoader - potential code execution') (r'marshal\.loads?\s*\(', 'marshal.load - insecure deserialization')
-
Weak Cryptography
(r'hashlib\.md5\s*\(', 'MD5 hash - cryptographically weak') (r'hashlib\.sha1\s*\(', 'SHA1 hash - cryptographically weak') (r'random\.\w+\s*\(', 'random module - not cryptographically secure')
-
Command Injection
(r'os\.system\s*\(', 'os.system - potential command injection') (r'os\.popen\s*\(', 'os.popen - potential command injection')
-
Path Traversal
(r'open\s*\([^)]*\+[^)]*\)', 'File open with string concatenation - potential path traversal') (r'\.\./', 'Path traversal pattern detected')
-
Network Security
(r'verify\s*=\s*False', 'SSL verification disabled') (r'requests\.get\s*\([^)]*(?!timeout)[^)]*\)', 'requests without timeout')
-
Secrets in Other Formats
(r'(SECRET|TOKEN|KEY)\s*=\s*["\'][^"\']+["\']', 'Hardcoded secret/token/key') (r'Bearer\s+[A-Za-z0-9_-]+', 'Hardcoded bearer token')
-
XML Security
(r'xml\.etree\.ElementTree\.parse', 'XML parse without DTD protection - XXE risk')
RISKY_PATTERNS = {
'code_injection': [
# eval, exec, subprocess shell=True
],
'secrets': [
# password, api_key, token, secret (enhanced)
],
'deserialization': [
# pickle, yaml, marshal
],
'cryptography': [
# MD5, SHA1, random
],
'command_injection': [
# os.system, os.popen
],
'path_traversal': [
# ../, string concat in open()
],
'network': [
# verify=False, no timeout
],
'file_operations': [
# rm -rf, chmod 777, /etc/ writes
]
}After implementation:
- Re-run existing 9 pattern tests (regression)
- Test comment filtering (no false positives)
- Test enhanced password detection (catches more cases)
- Test each new pattern category
- Verify no blocking behavior (advisory only)
| Teammate | Task |
|---|---|
| 1 | Fix comment false positives in _get_added_lines() |
| 2 | Enhance secret detection (password, token, key, secret) |
| 3 | Add new pattern categories (deserialization, crypto, command injection, etc.) |
All teammates work on: hooks/learning-loop/post_tool_learning.py