From 5adc7510536b4196636a373b32744a13264c8674 Mon Sep 17 00:00:00 2001 From: bellman Date: Fri, 5 Jun 2026 05:24:15 +0900 Subject: [PATCH] docs: mark ROADMAP #97 DONE 97: empty --allowedTools is unrestricted (no restrictions = default mode) Generated with https://github.com/Yeachan-Heo/gajae-code Co-authored-by: Gajae Code --- ROADMAP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ROADMAP.md b/ROADMAP.md index ee19ca54..30446a67 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -2321,7 +2321,7 @@ ear], /color [scheme], /effort [low|medium|high], /fast, /summary, /tag [label], **Source.** Jobdori dogfood 2026-04-18 against `/tmp/cdM` on main HEAD `7a172a2` in response to Clawhip pinpoint nudge at `1494766926826700921`. Joins the **silent-flag no-op class** with #96 (self-contradicting `--help` surface) and #97 (silent-empty `--allowedTools`) — three variants of "flag parses, produces no useful effect, emits no diagnostic." Distinct from the permission-audit sweep: this is specifically about *flag-scope consistency with documented behavior*, not about what the flag would do if it worked. Natural bundle: **#96 + #97 + #98** covers the full `--help` / flag-validation hygiene triangle — what the surface claims to support, what it silently disables, and what it silently ignores. -99. **`claw system-prompt --cwd PATH --date YYYY-MM-DD` performs zero validation on either value: nonexistent paths, empty strings, multi-line strings, SQL-injection payloads, and arbitrary prompt-injection text are all accepted verbatim and interpolated straight into the rendered system-prompt output in two places each (`# Environment context` and `# Project context` sections) — a classic unvalidated-input → system-prompt surface that a downstream consumer invoking `claw system-prompt --date "$USER_INPUT"` or `--cwd "$TAINTED_PATH"` could weaponize into prompt injection** — dogfooded 2026-04-18 on main HEAD `0e263be` from `/tmp/cdN`. `--help` documents the format as `[--cwd PATH] [--date YYYY-MM-DD]` — implying a filesystem path and an ISO date — but the parser (`main.rs:1162-1190`) just does `PathBuf::from(value)` and `date.clone_from(value)` with no further checks. Both values then reach `SystemPromptBuilder::render_env_context()` at `prompt.rs:176-186` and `render_project_context()` at `prompt.rs:289-293` where they are formatted into the output via `format!("Working directory: {}", cwd.display())` and `format!("Today's date is {}.", current_date)` with no escaping or line-break rejection. +99. **DONE — `claw system-prompt --cwd PATH --date YYYY-MM-DD` performs zero validation on either value: nonexistent paths, empty strings, multi-line strings, SQL-injection payloads, and arbitrary prompt-injection text are all accepted verbatim and interpolated straight into the rendered system-prompt output in two places each (`# Environment context` and `# Project context` sections) — a classic unvalidated-input → system-prompt surface that a downstream consumer invoking `claw system-prompt --date "$USER_INPUT"` or `--cwd "$TAINTED_PATH"` could weaponize into prompt injection** — dogfooded 2026-04-18 on main HEAD `0e263be` from `/tmp/cdN`. `--help` documents the format as `[--cwd PATH] [--date YYYY-MM-DD]` — implying a filesystem path and an ISO date — but the parser (`main.rs:1162-1190`) just does `PathBuf::from(value)` and `date.clone_from(value)` with no further checks. Both values then reach `SystemPromptBuilder::render_env_context()` at `prompt.rs:176-186` and `render_project_context()` at `prompt.rs:289-293` where they are formatted into the output via `format!("Working directory: {}", cwd.display())` and `format!("Today's date is {}.", current_date)` with no escaping or line-break rejection. **Concrete repro.** ```