fix: security hardening across all shell scripts#7
Merged
Conversation
…ilures Full security audit and remediation across 14 files: replace unsafe eval with safe arg parser in audit.sh, add module name validation, fix TOCTOU race in dotfile symlinks, quote SSH config variables, add temp file cleanup traps, surface masked errors in brew/mise, pin bun version, add SSH key strength warnings, enable macOS firewall and screen lock defaults. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full security audit and remediation of all shell scripts, addressing critical through low severity issues across 15 files:
evalinlib/audit.shwith a safe quoted-argument parser; added module name validation inlib/profile.shto block path traversallib/state.sh;chmod 700on state directorybrew bundle,mise install,sudo xcodebuild, andchmod 600errors are now reported instead of swallowed by|| trueIdentityFilepath; added key type/strength validation warning for DSA and short RSA keys; validatedZSH_BINbefore writing to/etc/shellsbun@latest→bun@1.2in both profiles; documented install.sh trust model with verification instructionsTest plan
shellcheck --severity=warningon all scripts (passes clean)MBP_FORCE=1 mbp setupon a test machine and verify all modules completembp auditparses macOS defaults withouteval🤖 Generated with Claude Code