fix(reachability): anchor user-input entry-point patterns with word boundary#128
Open
gadievron wants to merge 1 commit into
Open
fix(reachability): anchor user-input entry-point patterns with word boundary#128gadievron wants to merge 1 commit into
gadievron wants to merge 1 commit into
Conversation
…oundary The FastAPI input pattern (Query|Body|Form|File|Header|Cookie)\s*\( and the ArgumentParser pattern lacked a leading \b, so any identifier ending in one of those words (setCookie(, PQsendQuery(, getHeader(, MyArgumentParser() matched as a user-input source and was seeded as a false remote-web entry point across C/Go/PHP/Python repos. Anchor both with \b; qualified forms like fastapi.Query( still match (the '.' provides the boundary). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
gadievron
requested review from
ar7casper,
dgeyshis,
shahar-davidson,
sounil and
yotamleo
as code owners
Collaborator
Author
|
Finding F9 (MED-HIGH) from a multi-language reachability audit. Standalone fix off |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(reachability): anchor user-input entry-point patterns with word boundary
Base:
master· Type: bug fix · Finding: F9 (MED-HIGH)What
utilities/agentic_enhancer/entry_point_detector.py— add a leading\bto twoUSER_INPUT_PATTERNSentries:(Query|Body|Form|File|Header|Cookie)\s*\(→\b(...)\s*\(ArgumentParser\s*\(→\bArgumentParser\s*\(Why
The unanchored alternation matched any identifier ending in one of those words,
so ordinary library calls —
res.setCookie(,PQsendQuery(,req.getHeader(,MyArgumentParser(— matched as user-input sources and were seeded as falseremote-web entry points. Measured across the eval corpus: ~1,800 false seeds
(postgres 431, kubernetes 717, symfony 600, laravel 377). False entry points
inflate the reachable set and mis-label attack surface.
Qualified forms still match after the fix:
fastapi.Query(,models.Header(,argparse.ArgumentParser(— the.supplies the word boundary.Tests
tests/test_entry_point_input_pattern_boundary.py(new): rejectssetCookie(/PQsendQuery(/getHeader(/parseMultipartFile(; still matchesstandalone
Cookie(/Query(/Body(/Header(.setCookie(token)matchedCookie(.test_entry_point_detector.py+ bindings 18 passed.Reachability impact (verified)
Empirically, this only removes FALSE input entry points — genuine FastAPI
dependency seeds are retained. No legitimate reachability lost. (Library-collapse
behaviour F6 is untouched — this change is two regex lines.)
Upstream coordination
No open PR modifies this regex. PR #120/#75/#76 reference
USER_INPUT_PATTERNSonly in added comments / new helpers; the regex line is unchanged on all of them.
Non-overlapping.
Author notes
\b-anchored patterns at the FastAPI and ArgumentParserentries.
setCookie(/PQsendQuery(that previouslyproduced false entry points.
\bdropfastapi.Query(?" — no; the.is anon-word char so the boundary holds (covered by a test assertion).