chore(ci): add semgrep guard against prototype pollution regressions in provider hot paths (#78)

* chore(ci): add semgrep rule no-bracket-assign-on-literal-object-map * chore(ci): add workflow running semgrep bracket-assign guard on push/PR * fix(parser): use Object.create(null) for categoryBreakdown map * chore(ci): expand semgrep rule to cover ||, ??=, and if-guard variants * chore(ci): limit push trigger to main and add semgrep --strict * chore(ci): use jq to enforce finding count (--error unreliable in semgrep 1.x)
2026-04-26 14:10:43 +00:00 · 2026-04-19 00:10:24 +02:00 · 2026-04-19 00:10:24 +02:00 · 5932a273a1
commit 5932a273a1
parent a031c8d32d
3 changed files with 50 additions and 1 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,27 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Semgrep
+        run: pip install semgrep
+
+      - name: Run Semgrep bracket-assign guard
+        run: |
+          set -e
+          semgrep --config .semgrep/rules/no-bracket-assign-hot-paths.yml \
+            --strict --json \
+            src/providers/ src/parser.ts > semgrep-out.json
+          FINDINGS=$(jq '.results | length' semgrep-out.json)
+          if [ "$FINDINGS" -gt 0 ]; then
+            jq -r '.results[] | "::error file=\(.path),line=\(.start.line)::\(.extra.message)"' semgrep-out.json
+            exit 1
+          fi
--- a/.semgrep/rules/no-bracket-assign-hot-paths.yml
+++ b/.semgrep/rules/no-bracket-assign-hot-paths.yml
@ -0,0 +1,22 @@
+rules:
+  - id: no-bracket-assign-on-literal-object-map
+    languages: [typescript]
+    severity: ERROR
+    message: >
+      Bracket-assign on a map created with `{}` allows prototype pollution when
+      the key comes from external data. Initialize the map with
+      `Object.create(null)` instead.
+    patterns:
+      - pattern-either:
+          - pattern: $MAP[$KEY] = $MAP[$KEY] ?? $INIT
+          - pattern: $MAP[$KEY] = $MAP[$KEY] || $INIT
+          - pattern: $MAP[$KEY] ??= $INIT
+          - pattern: |
+              if (!$MAP[$KEY]) $MAP[$KEY] = $INIT
+      - pattern-not-inside: |
+          const $MAP = Object.create(null)
+          ...
+    paths:
+      include:
+        - '/src/providers/*.ts'
+        - '/src/parser.ts'
--- a/src/parser.ts
+++ b/src/parser.ts
@ -173,7 +173,7 @@ function buildSessionSummary(
  const toolBreakdown: SessionSummary['toolBreakdown'] = Object.create(null)
  const mcpBreakdown: SessionSummary['mcpBreakdown'] = Object.create(null)
  const bashBreakdown: SessionSummary['bashBreakdown'] = Object.create(null)
-  const categoryBreakdown: SessionSummary['categoryBreakdown'] = {} as SessionSummary['categoryBreakdown']
+  const categoryBreakdown: SessionSummary['categoryBreakdown'] = Object.create(null)

  let totalCost = 0
  let totalInput = 0