fix: move security hook debug log from /tmp to ~/.claude/ and gate behind env var#186
Open
xiaolai wants to merge 1 commit intoComposioHQ:masterfrom
Open
fix: move security hook debug log from /tmp to ~/.claude/ and gate behind env var#186xiaolai wants to merge 1 commit intoComposioHQ:masterfrom
xiaolai wants to merge 1 commit intoComposioHQ:masterfrom
Conversation
…ehind env var The debug log was written unconditionally to /tmp/security-warnings-log.txt, a world-writable path that any local user can read. Since the log records which files are being edited and which security patterns fired, it leaks session-scoped information to other local users. Changes: - Relocate DEBUG_LOG_FILE to ~/.claude/security-warnings-log.txt, matching where the hook already writes its session state files - Gate all log writes behind SECURITY_REMINDER_DEBUG=1 env var so the log is disabled by default and no file is created unless explicitly opted in - Add makedirs guard so the ~/.claude/ directory is created if needed Co-Authored-By: Claude Code <noreply@anthropic.com>
This was referenced Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix (Medium severity)
security-guidance/hooks/security_reminder_hook.pywrites a debug log unconditionally to/tmp/security-warnings-log.txt:/tmpis world-writable on Linux/macOS. Any local user on the same machine can read this file. Since the log records which files are being edited and which security patterns triggered, it leaks session-scoped information — including file paths of files being written by Claude — to other local users.The hook already uses
~/.claude/for its session state files (e.g.security_warnings_state_{session_id}.json), making that the natural and already-trusted location.Fix
Two changes:
Relocate the log file from
/tmp/security-warnings-log.txtto~/.claude/security-warnings-log.txt, which is user-private and already used for hook state.Gate writes behind
SECURITY_REMINDER_DEBUG=1so no log file is created by default. The log existed only for debugging; there's no reason to write it on every hook invocation in production.Users who want debug logging can opt in with
SECURITY_REMINDER_DEBUG=1in their environment.Impact
This is a minimal, backwards-compatible change. The hook's security warning behavior is unchanged. Debug logging is disabled by default (which was effectively true for any deployment that didn't know the undocumented
/tmppath existed).