Security Enhancement: Script Integrity Checking
Severity: MEDIUM
Priority: MEDIUM
Category: File Integrity
Problem
No verification that installed scripts are authentic and unmodified:
- Scripts could be tampered with after installation
- No checksum verification
- Race condition between install and settings.json update
Impact
- Malicious script execution
- Silent compromise
- No detection of tampering
Solution
Implement checksum-based integrity verification:
import crypto from 'crypto';
// Generate checksums during build
const SCRIPT_CHECKSUMS = {
'statusline.sh': 'sha256-abc123...',
};
async function verifyScriptIntegrity(scriptPath: string, name: string): Promise<boolean> {
const content = await fs.readFile(scriptPath);
const hash = crypto.createHash('sha256').update(content).digest('hex');
const expected = SCRIPT_CHECKSUMS[name];
if (hash !== expected) {
console.error(`❌ Script integrity check failed for ${name}`);
console.error(` Expected: ${expected}`);
console.error(` Got: ${hash}`);
return false;
}
return true;
}
// Verify before writing to settings.json
const statuslineValid = await verifyScriptIntegrity(statuslinePath, 'statusline.sh');
if (!statuslineValid) {
throw new Error('Script integrity verification failed');
}Implementation Steps
- Generate checksums at build time
- Embed checksums in compiled code
- Verify on installation
- Verify with
--verify flag
- Document verification process
Files to Modify
package.json (add prebuild checksum generation)src/cli/commands/init.ts (add verification)- Add checksum generation script
Acceptance Criteria
Related Issues
Security Enhancement: Script Integrity Checking
Severity: MEDIUM
Priority: MEDIUM
Category: File Integrity
Problem
No verification that installed scripts are authentic and unmodified:
Impact
Solution
Implement checksum-based integrity verification:
Implementation Steps
--verifyflagFiles to Modify
package.json(add prebuild checksum generation)src/cli/commands/init.ts(add verification)Acceptance Criteria
--verifyflagRelated Issues