Skip to content
This repository was archived by the owner on Jun 21, 2026. It is now read-only.
This repository was archived by the owner on Jun 21, 2026. It is now read-only.

Security: Debug logging to world-readable /tmp file #48

Description

@EricGrill

Problem

Security guidance plugin writes debug logs to a world-readable temp file.

Current state:
File: plugins/anthropic-security-guidance/hooks/security_reminder_hook.py

DEBUG_LOG_FILE = "/tmp/security-warnings-log.txt"

def log_security_check(check_type, result):
    """Log security check for debugging purposes"""
    timestamp = datetime.now().isoformat()
    with open(DEBUG_LOG_FILE, "a") as f:
        f.write(f"[{timestamp}] {check_type}: {result}\n")

Why it matters:

  • /tmp is world-readable on most systems
  • Security warnings may contain sensitive file paths or code patterns
  • No log rotation or size limiting - can fill disk
  • No way to disable logging
  • Violates principle of least surprise for a security plugin

Suggested Solution

  1. Make logging opt-in via environment variable
  2. Use a more private location (e.g., ~/.claude/logs/)
  3. Add log rotation and size limits
  4. Sanitize any potentially sensitive data
  5. Document the logging behavior
DEBUG_LOG_FILE = os.path.expanduser("~/.claude/logs/security-warnings.log")
# Or disable by default:
if os.getenv("CLAUDE_SECURITY_DEBUG"):
    log_security_check(...)

Acceptance Criteria

  • Logging disabled by default or uses private location
  • Environment variable to enable debug logging
  • Log rotation implemented
  • Security review of logged data
  • Documentation updated

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions