github Dicklesworthstone/ultimate_bug_scanner v5.0.4
v5.0.4 - Security Patch
on GitHub

latest releases: v5.0.6, v5.0.5
one month ago

🔒 Security Patch Release

This release contains a critical security fix for users of Claude Code with the git_safety_guard.py hook.

Vulnerability Details

Affected Component: .claude/hooks/git_safety_guard.py

Issue: The git safety guard could be bypassed by using absolute paths to the rm command:

Command Before v5.0.4 After v5.0.4
rm -rf /important ❌ Blocked ❌ Blocked
/bin/rm -rf /important ALLOWED (Bug!) ❌ Blocked
/usr/bin/rm -rf /important ALLOWED (Bug!) ❌ Blocked

Root Cause: Both has_rm_recursive_force() and rm_rf_targets_are_safe() functions only checked for the exact token "rm", not path variants like /bin/rm or /usr/bin/rm.

Fix: Added _is_rm_command() helper function that recognizes both rm and any path ending in /rm.

Who Should Update

  • All users of Claude Code with the git_safety_guard hook installed
  • Users who installed UBS with --easy-mode (which sets up Claude hooks)

How to Update

# Update UBS
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/install.sh | bash -- --update

# Or manually update the hook
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/master/.claude/hooks/git_safety_guard.py -o ~/.claude/hooks/git_safety_guard.py

Commits in This Release

  • 8907eec fix(security): close /bin/rm -rf bypass in git_safety_guard.py
  • 6d95684 chore(beads): sync issue tracker state
  • 1cfd52d chore(release): bump version to 5.0.4

Checksums

SHA256 (install.sh) = 20b1f6b6337ac4df6e45af4c0028ecd01313a040f6233f60c7da42d9b8f1aa87
SHA256 (ubs) = e8258f15a8fcf9bb3fefc001ea1abd25268d88cdd41aeb136a909d8f37e30ab0

This release was generated with Claude Code

Check out latest releases or
releases around Dicklesworthstone/ultimate_bug_scanner v5.0.4

Don't miss a new ultimate_bug_scanner release

NewReleases is sending notifications on new releases.

Get notifications