Add 5 Claude Code hooks security rules (9 sub-rules)

DrewDennison · claude · DrewDennison · commit 3e8a07267ff9 · 2026-03-04T14:32:07.000-08:00
New rules detect common security issues in Claude Code hook scripts:
- hooks-no-input-validation: missing try/except around stdin JSON parsing
- hooks-unquoted-variable: tainted stdin data flowing to eval/exec sinks
- hooks-path-traversal: stdin data used in file ops without path resolution
- hooks-relative-script-path: relative path script invocations (./scripts/...)
- hooks-sensitive-file-access: stdin data used in file ops without sensitive file filtering

Covers Python (taint mode) and Bash (taint + pattern-regex) with full test suites.
83 rules total, all validated and tests passing.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/AGENTS.md b/AGENTS.md
@@ -71,5 +71,5 @@ CWE mapping:
 
 ## Current Stats
 
-- 35 YAML rule files, 74 individual sub-rules
+- 40 YAML rule files, 83 individual sub-rules
 - All rules validated, all tests passing
diff --git a/rules/hooks-no-input-validation/hooks-no-input-validation.py b/rules/hooks-no-input-validation/hooks-no-input-validation.py
@@ -0,0 +1,21 @@
+import json
+import sys
+
+# ruleid: hooks-no-input-validation-python
+data = json.loads(sys.stdin.read())
+
+# ruleid: hooks-no-input-validation-python
+data = json.load(sys.stdin)
+
+# ok: hooks-no-input-validation-python
+try:
+    data = json.loads(sys.stdin.read())
+except (json.JSONDecodeError, ValueError):
+    sys.exit(1)
+
+# ok: hooks-no-input-validation-python
+try:
+    data = json.load(sys.stdin)
+except Exception as e:
+    print(f"Error: {e}")
+    sys.exit(1)
diff --git a/rules/hooks-no-input-validation/hooks-no-input-validation.sh b/rules/hooks-no-input-validation/hooks-no-input-validation.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# ruleid: hooks-no-input-validation-bash
+eval $INPUT
+
+# ruleid: hooks-no-input-validation-bash
+eval "$RESULT"
+
+# ruleid: hooks-no-input-validation-bash
+echo $DATA | bash
+
+# ruleid: hooks-no-input-validation-bash
+echo $DATA | sh
+
+# ok: hooks-no-input-validation-bash
+if [ -n "$INPUT" ]; then
+    echo "Input is not empty"
+fi
diff --git a/rules/hooks-no-input-validation/hooks-no-input-validation.yaml b/rules/hooks-no-input-validation/hooks-no-input-validation.yaml
@@ -0,0 +1,40 @@
+rules:
+  - id: hooks-no-input-validation-python
+    languages: [python]
+    severity: WARNING
+    message: >-
+      Claude Code hook reads stdin without input validation. Wrap json.loads/json.load
+      calls in try/except to handle malformed or unexpected input gracefully.
+    metadata:
+      cwe: "CWE-20: Improper Input Validation"
+      category: security
+      confidence: MEDIUM
+      technology: [claude-code]
+      references:
+        - https://docs.anthropic.com/en/docs/claude-code/hooks
+    patterns:
+      - pattern-either:
+          - pattern: json.loads(sys.stdin.read())
+          - pattern: json.load(sys.stdin)
+      - pattern-not-inside: |
+          try:
+              ...
+          except ...:
+              ...
+  - id: hooks-no-input-validation-bash
+    languages: [bash]
+    severity: WARNING
+    message: >-
+      Piping untrusted input directly to eval, bash, or sh is dangerous in Claude Code
+      hooks. Validate and sanitize input before executing it.
+    metadata:
+      cwe: "CWE-20: Improper Input Validation"
+      category: security
+      confidence: MEDIUM
+      technology: [claude-code]
+      references:
+        - https://docs.anthropic.com/en/docs/claude-code/hooks
+    pattern-either:
+      - pattern: eval $...ARGS
+      - pattern: echo $...ARGS | bash
+      - pattern: echo $...ARGS | sh
diff --git a/rules/hooks-path-traversal/hooks-path-traversal.py b/rules/hooks-path-traversal/hooks-path-traversal.py
@@ -0,0 +1,34 @@
+import json
+import sys
+import os
+import shutil
+import pathlib
+
+data = json.loads(sys.stdin.read())
+# ruleid: hooks-path-traversal-python
+f = open(data["file_path"], "r")
+
+hook_input = json.load(sys.stdin)
+# ruleid: hooks-path-traversal-python
+os.remove(hook_input["path"])
+
+payload = json.loads(sys.stdin.read())
+# ruleid: hooks-path-traversal-python
+shutil.copy(payload["source"], "/tmp/dest")
+
+payload = json.loads(sys.stdin.read())
+# ruleid: hooks-path-traversal-python
+p = pathlib.Path(payload["file"])
+
+# ok: hooks-path-traversal-python
+data = json.loads(sys.stdin.read())
+safe_path = os.path.realpath(data["file_path"])
+f = open(safe_path, "r")
+
+# ok: hooks-path-traversal-python
+data = json.loads(sys.stdin.read())
+abs_path = os.path.abspath(data["file_path"])
+os.remove(abs_path)
+
+# ok: hooks-path-traversal-python
+hardcoded = open("/tmp/known_file.txt", "r")
diff --git a/rules/hooks-path-traversal/hooks-path-traversal.sh b/rules/hooks-path-traversal/hooks-path-traversal.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+FILE_PATH=$(cat /dev/stdin | jq -r '.file_path')
+# ruleid: hooks-path-traversal-bash
+cat $FILE_PATH
+
+TARGET=$(echo "$INPUT" | jq -r '.path')
+# ruleid: hooks-path-traversal-bash
+rm $TARGET
+
+# ok: hooks-path-traversal-bash
+RAW_PATH=$(cat /dev/stdin | jq -r '.file_path')
+SAFE_PATH=$(realpath "$RAW_PATH")
+cat $SAFE_PATH
+
+# ok: hooks-path-traversal-bash
+cat /tmp/known_file.txt
diff --git a/rules/hooks-path-traversal/hooks-path-traversal.yaml b/rules/hooks-path-traversal/hooks-path-traversal.yaml
@@ -0,0 +1,78 @@
+rules:
+  - id: hooks-path-traversal-python
+    mode: taint
+    languages: [python]
+    severity: ERROR
+    message: >-
+      Hook input flows into a file path without validation. Claude Code hooks
+      receive JSON input that may contain user-controlled paths. An attacker
+      could craft input with path traversal sequences (e.g., '../../etc/passwd')
+      to read, modify, or delete arbitrary files. Use os.path.realpath() or
+      os.path.abspath() to resolve and validate paths before file operations.
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+      category: security
+      confidence: MEDIUM
+      subcategory: [vuln]
+      technology: [claude-code]
+      references:
+        - https://docs.anthropic.com/en/docs/claude-code/hooks
+    pattern-sources:
+      - pattern: json.loads(...)
+      - pattern: json.load(...)
+    pattern-sinks:
+      - patterns:
+          - pattern: open($SINK, ...)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: os.remove($SINK)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: os.unlink($SINK)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: shutil.copy($SINK, ...)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: shutil.move($SINK, ...)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: pathlib.Path($SINK)
+          - focus-metavariable: $SINK
+    pattern-sanitizers:
+      - pattern: os.path.realpath(...)
+      - pattern: os.path.abspath(...)
+
+  - id: hooks-path-traversal-bash
+    mode: taint
+    languages: [bash]
+    severity: ERROR
+    message: >-
+      Hook input flows into a file path without validation. Claude Code hooks
+      receive JSON input that may contain user-controlled paths. An attacker
+      could craft input with path traversal sequences (e.g., '../../etc/passwd')
+      to read, modify, or delete arbitrary files. Use realpath or readlink -f
+      to resolve and validate paths before file operations.
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+      category: security
+      confidence: MEDIUM
+      subcategory: [vuln]
+      technology: [claude-code]
+      references:
+        - https://docs.anthropic.com/en/docs/claude-code/hooks
+    pattern-sources:
+      - pattern: |
+          $VAR=$(... | jq ...)
+    pattern-sinks:
+      - patterns:
+          - pattern-either:
+              - pattern: cat $SINK
+              - pattern: rm $SINK
+              - pattern: cp $SINK ...
+              - pattern: mv $SINK ...
+          - pattern-not-inside: |
+              $X=$(... | jq ...)
+    pattern-sanitizers:
+      - pattern: realpath ...
+      - pattern: readlink -f ...
diff --git a/rules/hooks-relative-script-path/hooks-relative-script-path.sh b/rules/hooks-relative-script-path/hooks-relative-script-path.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# ruleid: hooks-relative-script-path-bash
+source ./scripts/validate.sh
+
+# ruleid: hooks-relative-script-path-bash
+bash ./hooks/check.sh
+
+# ruleid: hooks-relative-script-path-bash
+sh ./run.sh
+
+# ok: hooks-relative-script-path-bash
+source /usr/local/hooks/validate.sh
+
+# ok: hooks-relative-script-path-bash
+bash "$CLAUDE_PROJECT_DIR/hooks/check.sh"
+
+# ok: hooks-relative-script-path-bash
+source "$HOME/.claude/hooks/hook.sh"
diff --git a/rules/hooks-relative-script-path/hooks-relative-script-path.yaml b/rules/hooks-relative-script-path/hooks-relative-script-path.yaml
@@ -0,0 +1,16 @@
+rules:
+  - id: hooks-relative-script-path-bash
+    languages: [bash]
+    severity: WARNING
+    message: >-
+      Relative path used for script invocation in hook. Use absolute paths or
+      environment variables like $CLAUDE_PROJECT_DIR or $HOME to ensure the
+      correct script is executed regardless of working directory.
+    metadata:
+      cwe: "CWE-426: Untrusted Search Path"
+      category: security
+      confidence: MEDIUM
+      technology: [claude-code]
+      references:
+        - https://docs.anthropic.com/en/docs/claude-code/hooks
+    pattern-regex: (source|bash|sh|\.)\s+\./\S+
diff --git a/rules/hooks-sensitive-file-access/hooks-sensitive-file-access.py b/rules/hooks-sensitive-file-access/hooks-sensitive-file-access.py
@@ -0,0 +1,33 @@
+import json
+import sys
+import os
+import shutil
+
+data = json.loads(sys.stdin.read())
+# ruleid: hooks-sensitive-file-access-python
+f = open(data["file_path"], "r")
+
+hook_input = json.load(sys.stdin)
+# ruleid: hooks-sensitive-file-access-python
+os.remove(hook_input["path"])
+
+payload = json.loads(sys.stdin.read())
+# ruleid: hooks-sensitive-file-access-python
+shutil.copy(payload["source"], "/tmp/dest")
+
+payload = json.loads(sys.stdin.read())
+# ruleid: hooks-sensitive-file-access-python
+shutil.move(payload["file"], "/tmp/moved")
+
+# ok: hooks-sensitive-file-access-python
+data = json.loads(sys.stdin.read())
+path = validate_path(data["file_path"])
+f = open(path, "r")
+
+# ok: hooks-sensitive-file-access-python
+data = json.loads(sys.stdin.read())
+safe_path = os.path.realpath(data["file_path"])
+f = open(safe_path, "r")
+
+# ok: hooks-sensitive-file-access-python
+hardcoded = open("/tmp/known_file.txt", "r")
diff --git a/rules/hooks-sensitive-file-access/hooks-sensitive-file-access.sh b/rules/hooks-sensitive-file-access/hooks-sensitive-file-access.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: hooks-sensitive-file-access-bash
+FILE_PATH=$(cat /dev/stdin | jq -r '.file_path')
+cat $FILE_PATH
+
+# ruleid: hooks-sensitive-file-access-bash
+TARGET=$(cat /dev/stdin | jq -r '.path')
+rm $TARGET
+
+# ok: hooks-sensitive-file-access-bash
+SAFE="hardcoded_file.txt"
+cat $SAFE
diff --git a/rules/hooks-sensitive-file-access/hooks-sensitive-file-access.yaml b/rules/hooks-sensitive-file-access/hooks-sensitive-file-access.yaml
@@ -0,0 +1,63 @@
+rules:
+  - id: hooks-sensitive-file-access-python
+    mode: taint
+    languages: [python]
+    severity: WARNING
+    message: >-
+      Hook input flows into a file operation without checking for sensitive
+      files. Claude Code hooks receive JSON input that may reference sensitive
+      files such as ~/.ssh/*, ~/.aws/credentials, or .env files. Filter or
+      block access to sensitive paths using a validation function like
+      check_sensitive() or is_sensitive() before performing file operations.
+    metadata:
+      cwe: "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory"
+      category: security
+      confidence: MEDIUM
+      subcategory: [vuln]
+      technology: [claude-code]
+      references:
+        - https://docs.anthropic.com/en/docs/claude-code/hooks
+    pattern-sources:
+      - pattern: json.loads(...)
+      - pattern: json.load(...)
+    pattern-sinks:
+      - patterns:
+          - pattern: open($SINK, ...)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: os.remove($SINK)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: shutil.copy($SINK, ...)
+          - focus-metavariable: $SINK
+      - patterns:
+          - pattern: shutil.move($SINK, ...)
+          - focus-metavariable: $SINK
+    pattern-sanitizers:
+      - pattern: validate_path(...)
+      - pattern: check_sensitive(...)
+      - pattern: is_sensitive(...)
+      - pattern: os.path.realpath(...)
+
+  - id: hooks-sensitive-file-access-bash
+    languages: [generic]
+    severity: WARNING
+    message: >-
+      Hook input from jq flows into a file operation without checking for
+      sensitive files. Claude Code hooks receive JSON input that may reference
+      sensitive files such as ~/.ssh/*, ~/.aws/credentials, or .env files.
+      Filter or block access to sensitive paths using realpath and a validation
+      check before performing file operations.
+    metadata:
+      cwe: "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory"
+      category: security
+      confidence: MEDIUM
+      subcategory: [vuln]
+      technology: [claude-code]
+      references:
+        - https://docs.anthropic.com/en/docs/claude-code/hooks
+    paths:
+      include:
+        - "*.sh"
+        - "*.bash"
+    pattern-regex: '\$\(.*\|\s*jq\b[^)]*\)[\s\S]*?\n\s*(cat|rm|cp|mv)\s+\$'
diff --git a/rules/hooks-unquoted-variable/hooks-unquoted-variable.sh b/rules/hooks-unquoted-variable/hooks-unquoted-variable.sh
diff --git a/rules/hooks-unquoted-variable/hooks-unquoted-variable.yaml b/rules/hooks-unquoted-variable/hooks-unquoted-variable.yaml
