Skip to content

fix(security-guidance): normalize backslashes in path checks for Windows#29092

Open
4RH1T3CT0R7 wants to merge 1 commit intoanthropics:mainfrom
4RH1T3CT0R7:fix/security-hook-windows-paths
Open

fix(security-guidance): normalize backslashes in path checks for Windows#29092
4RH1T3CT0R7 wants to merge 1 commit intoanthropics:mainfrom
4RH1T3CT0R7:fix/security-hook-windows-paths

Conversation

@4RH1T3CT0R7
Copy link

Summary

  • On Windows, file paths use backslashes (.github\workflows\ci.yml)
  • The path_check lambda checks for .github/workflows/ with forward slashes
  • Result: security reminder for GitHub Actions workflow editing was silently skipped for all Windows users
  • Fix: normalize \/ in check_patterns() alongside existing leading-slash normalization

Changes

  • plugins/security-guidance/hooks/security_reminder_hook.py line 186: added .replace("\\", "/") to path normalization

The replace() is a no-op on Linux/macOS where paths already use forward slashes.

Test plan

  • Feed hook JSON with file_path: ".github\workflows\ci.yml" — should trigger GitHub Actions security warning
  • Feed hook JSON with file_path: ".github/workflows/ci.yml" — should still trigger (no regression)
  • Feed hook JSON with file_path: "C:\project\.github\workflows\deploy.yaml" — should trigger
  • Feed hook JSON with file_path: "src/main.py" — should NOT trigger path-based rule

Fixes #18508

On Windows, file paths use backslashes (.github\workflows\ci.yml) which
caused the forward-slash path_check lambda to never match. The security
reminder for GitHub Actions workflow editing was silently skipped for
all Windows users.

Normalize backslashes to forward slashes in check_patterns() alongside
the existing leading-slash normalization. The replace() is a no-op on
Linux/macOS where paths already use forward slashes.

Fixes anthropics#18508
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security reminder should detect workflow files on Windows paths

1 participant