lintai docs

Appearance

Rule Reference

SEC366lintai-ai-securitypreviewclaude_settingswarn

Claude settings: dangerous HTTP hook host literal

Claude settings allow dangerous host literals in `allowedHttpHookUrls`

Provider
lintai-ai-security
Surface
claude_settings
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared committed Claude settings for dangerous host literals in `allowedHttpHookUrls`.

Deterministic signal basis

ClaudeSettingsSignals exact host analysis over `allowedHttpHookUrls` entries in parsed Claude settings JSON.

Malicious corpus
claude-settings-dangerous-http-hook-host
Benign corpus
claude-settings-http-hook-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC361Claude settings: missing `$schema`Claude settings file is missing a top-level `$schema` referenceclaude_settingspreview
SEC363Claude settings: home-directory hook pathClaude settings hook command uses a home-directory path in a shared committed configclaude_settingspreview
SEC365Claude settings: non-HTTPS allowed HTTP hook URLClaude settings allow non-HTTPS HTTP hook URLs in a shared committed configclaude_settingspreview
SEC368Claude settings: repo-external absolute hook pathClaude settings hook command uses a repo-external absolute path in a shared committed configclaude_settingspreview
SEC381Claude settings: command hook missing `timeout`Claude settings command hook should set `timeout` in a shared committed configclaude_settingspreview
SEC382Claude settings: `matcher` on unsupported hook eventClaude settings should not use `matcher` on unsupported hook eventsclaude_settingspreview

Why It Matters

SEC366 flags committed Claude settings that allow dangerous host literals in allowedHttpHookUrls.

This is useful because:

  • shared Claude settings should not quietly normalize metadata-service or private-network hook targets
  • dangerous host literals create a clear SSRF or uncontrolled exfiltration policy smell in team-facing config
  • the signal is structural and easy for maintainers to reason about during review

What Triggers

This rule applies only to committed Claude settings surfaces:

  • .claude/settings.json
  • claude/settings.json

It triggers when allowedHttpHookUrls contains a URL with a dangerous host literal such as:

  • 169.254.169.254
  • metadata.google.internal
  • private IPv4 ranges

It does not trigger on:

  • ordinary public hosts
  • fixture-like test/example paths
  • prose references outside real Claude settings JSON

Examples

Bad:

json
{
  "allowedHttpHookUrls": [
    "https://169.254.169.254/latest/meta-data"
  ]
}

Better:

json
{
  "allowedHttpHookUrls": [
    "https://hooks.example.test/notify"
  ]
}

Remediation

  • remove metadata or private-network host literals from allowedHttpHookUrls
  • replace them with reviewed public endpoints when shared hook callbacks are actually required
  • keep local lab or fixture examples out of committed team-facing Claude settings