[BUG] in security_reminder_hook.py , CHANGELOG.md , gitutil.py , llm.py , feed.xml
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
i hve developed a application taht is AEROX AURA which typically checks the depth, loc , complexity , health , status of the repo and when i gave this repo i have found that there are bugs and need some fixes in the above mentioned files and the AEROX AURA application renders all the files and there path in a 3d world like town so i have reported these issue i am attcahing the link of the appliaction [https://aeroxaura.vercel.app/](url)
What Should Happen?
as security_reminder_hook.py file is unhealthy and its health acording to my appliaction is 5% and complexity is 12.3% and LOC is 2068 so i thinki it will affect the entire repo but it is not observed by anyone and there are errors on the mentioned files which i have mentioned in the title
Error Messages/Logs
Steps to Reproduce
security-guidance/hooks/
├── security_reminder_hook.py <-- Slimmed down core dispatcher (< 150 LOC)
└── rules/ <-- Isolated, low-complexity rule definitions
├── __init__.py
├── base_rule.py <-- Common abstract interface
├── javascript_rules.py <-- JS/TS specific rules (innerHTML, dangerouslySetHTML)
├── python_rules.py <-- Python specific rules (pickle, execution)
└── generic_rules.py <-- Cross-language rules (eval, git workflows)
Step A: Define the Base Interface (rules/base_rule.py)
Isolating the execution engine from the target logic drops cyclomatic complexity significantly.
import re
from typing import List, Dict, Any
class BaseSecurityRule:
name: str = "base_rule"
applicable_extensions: List[str] = [] # Empty means all files
def __init__(self, pattern: str, reminder_text: str):
self.regex = re.compile(pattern)
self.reminder_text = reminder_text
def is_applicable(self, file_path: str) -> bool:
if not self.applicable_extensions:
return True
return any(file_path.endswith(ext) for ext in self.applicable_extensions)
def scan(self, file_path: str, content: str) -> List[str]:
if not self.is_applicable(file_path):
return []
if self.regex.search(content):
return [f"[{self.name}] {self.reminder_text}"]
return []
Step B: Group rules cleanly into domain modules (rules/javascript_rules.py)
This directly resolves the known bug where JS rules mistakenly fire on Python, Markdown, or YAML codeblocks.
from .base_rule import BaseSecurityRule
class JavaScriptXSSRule(BaseSecurityRule):
name = "js_xss_dangerously_set"
applicable_extensions = [".js", ".jsx", ".ts", ".tsx"]
def __init__(self):
super().__init__(
pattern=r"dangerouslySetInnerHTML|innerHTML\s*=",
reminder_text="Warning: Direct DOM injection detected. Ensure inputs are completely sanitized."
)
Step C: The Cleaned, High-Performance Main Hook (security_reminder_hook.py)
This script drops your core file complexity to ~2% and LOC down to a tiny fraction of its original scale. It loops through rules dynamically and enforces correct JSON-blocking formatting to satisfy Claude Code's output schema expectations.
import sys
import os
import json
from typing import List
Import our strategy modules
from rules.javascript_rules import JavaScriptXSSRule
Import other rules here...
Instantiate the active rule engine registry
RULE_REGISTRY = [
JavaScriptXSSRule(),
# Add other cleanly encapsulated rules here
]
def main():
# 1. Enforce validation of incoming stdin payload
try:
input_data = json.load(sys.stdin)
file_path = input_data.get("filepath", "")
file_content = input_data.get("content", "")
except (json.JSONDecodeError, Exception):
# Gracefully exit if payload formatting isn't hooked yet
print(json.dumps({"decision": "allow", "reason": "Malformed hook input json"}))
sys.exit(0)
findings: List[str] = []
# 2. Iterate through decoupled scanner matrix
for rule in RULE_REGISTRY:
try:
violations = rule.scan(file_path, file_content)
if violations:
findings.extend(violations)
except Exception as e:
# Prevent one failing rule from breaking entire Write/Edit capability
continue
# 3. Output decision utilizing strict format compliance
if findings:
aggregated_reminders = "\n".join(findings)
print(json.dumps({
"decision": "block",
"reason": f"Security Anti-Patterns Detected:\n{aggregated_reminders}"
}))
sys.exit(0) # Standard protocol handling handles non-zero inside payload block
# Pass-through clean state
print(json.dumps({"decision": "allow"}))
sys.exit(0)
if __name__ == "__main__":
main()
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.154
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗