Skip to content

fix: security audit remediation (#1375)#1383

Merged
ruvnet merged 1 commit intomainfrom
fix/security-audit-1375
Mar 19, 2026
Merged

fix: security audit remediation (#1375)#1383
ruvnet merged 1 commit intomainfrom
fix/security-audit-1375

Conversation

@ruvnet
Copy link
Copy Markdown
Owner

@ruvnet ruvnet commented Mar 19, 2026

Summary

Addresses all actionable findings from the security audit in #1375.

Changes

Fix File(s) Details
SQL injection (#1030) memory-initializer.ts 9 string-interpolated queries → parameterized (db.prepare/bind)
Preinstall removal package.json, bin/preinstall.cjs Removed no-op preinstall hook entirely
SECURITY.md SECURITY.md Vulnerability disclosure policy, supported versions, safe harbor
npx allowlist safe-executor.ts, index.ts, security-domain-service.ts Removed npx from SafeExecutor defaults
Cleanup command commands/cleanup.ts, commands/index.ts ruflo cleanup to remove project artifacts

Test plan

  • Docker: ruflo@3.5.40 mcp start — clean startup, no crash
  • Docker: ruflo cleanup — dry-run shows artifacts correctly
  • Docker: No preinstall script in published package
  • Docker: Zero replace(/'/g SQL interpolation in published JS
  • TypeScript build passes with no errors
  • Security tests updated (npx blocked, not allowed)

Closes #1375, Closes #1030

🤖 Generated with claude-flow

@ruvnet
fix: address security audit findings from #1375
cc18448 
1. SQL injection: Convert all 9 string-interpolated queries in
   memory-initializer.ts to parameterized queries (db.prepare/bind)
   Closes #1030

2. Preinstall hook: Remove no-op preinstall script and package.json entry
   that triggered supply chain concern

3. SECURITY.md: Add vulnerability disclosure policy with supported
   versions, reporting process, and safe harbor statement

4. SafeExecutor: Remove npx from default command allowlist to prevent
   arbitrary package execution via safe executor

5. Cleanup command: Add `cleanup` command for removing project artifacts
   (.claude/, .swarm/, data/, etc.) with --dry-run default and --force
   to execute. Addresses uninstall documentation gap

Published as v3.5.40. All fixes verified in Docker.

Closes #1375

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet ruvnet merged commit 75fe9f5 into main Mar 19, 2026
5 of 7 checks passed
@ruvnet ruvnet deleted the fix/security-audit-1375 branch March 19, 2026 15:25
@ruvnet ruvnet mentioned this pull request Mar 19, 2026
Closed
deepakdgupta1 pushed a commit to deepakdgupta1/claude-flow that referenced this pull request Mar 21, 2026
@ruvnet @deepakdgupta1
fix: address security audit findings from ruvnet#1375 (ruvnet#1383)
29c9941 
1. SQL injection: Convert all 9 string-interpolated queries in
   memory-initializer.ts to parameterized queries (db.prepare/bind)
   Closes ruvnet#1030

2. Preinstall hook: Remove no-op preinstall script and package.json entry
   that triggered supply chain concern

3. SECURITY.md: Add vulnerability disclosure policy with supported
   versions, reporting process, and safe harbor statement

4. SafeExecutor: Remove npx from default command allowlist to prevent
   arbitrary package execution via safe executor

5. Cleanup command: Add `cleanup` command for removing project artifacts
   (.claude/, .swarm/, data/, etc.) with --dry-run default and --force
   to execute. Addresses uninstall documentation gap

Published as v3.5.40. All fixes verified in Docker.

Closes ruvnet#1375
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Audit Summary: Multiple Critical Concerns Security: SQL injection vulnerabilities in memory-initializer.ts

1 participant

@ruvnet