feat(ss): implement ss socket statistics builtin

[thieman]

Summary

• Adds the ss builtin command to display network socket statistics without executing any external binary
• Cross-platform: Linux reads /proc/net/, macOS uses unix.SysctlRaw, Windows calls iphlpapi.dll via a narrow unsafe.Pointer exception isolated in builtins/internal/winnet/
• All dangerous flags blocked: -F/--filter (GTFOBins file-read), -p (PID disclosure), -K (socket kill), -E (infinite events), -N (namespace switching)

Supported flags

-t/-u/-x (protocol filter), -l/-a (listening state), -n (numeric), -4/-6 (IP version), -s (summary), -H (no header), -o (timer info), -e (extended uid/inode), -h/--help

Test plan

• go test ./builtins/ss/ ./builtins/tests/ss/ ./interp/... ./allowedsymbols/... ./tests/... — all pass (2 pre-existing failures in command_substitution/backtick_substitution unrelated to this change)
• White-box unit tests for parsing helpers (cross-platform + Linux-only)
• Integration tests with live socket data on macOS
• Pentest tests: all dangerous/rejected flags verified to exit 1
• Fuzz tests: FuzzSSFlags (all platforms), FuzzParseIPv4Proc/FuzzParseIPv6Proc/FuzzFormatIPv6/FuzzParsePortProc (Linux)
• YAML scenario tests with skip_assert_against_bash: true (output is live kernel state)
• Allowedsymbols test passes; internal/ is skipped (consistent with existing pattern)
• gofmt -l . clean

🤖 Generated with Claude Code

[thieman]

@codex review this PR

Important: Read the SPECS section of the PR description. If SPECS are present: make sure the implementation matches ALL the specs.
The specs override other instructions (code, inline comments in code, etc). ALL specs MUST be implemented.

[thieman]

Code Review — PR #106: ss builtin

Overall Assessment: needs fixes (P2 correctness bugs on Windows IPv6)

The Linux and macOS implementations look solid: callCtx.OpenFile is used correctly for all /proc/net/ access, the bufio.Scanner line cap prevents memory exhaustion, and context cancellation is checked at every scan-loop iteration. The flag-rejection list (GTFOBins -F, PID-disclosing -p, namespace-switching -N, etc.) is thorough. Test coverage is strong for Linux parse helpers, pentest vectors, and the shared filter logic.

However, the Windows IPv6 TCP/UDP socket parsing has struct-offset bugs that produce silently wrong state, addresses, and ports for IPv6 sockets on Windows. There is also a minor security-hygiene concern with unix.SysctlRaw being added to the global allow-list rather than the ss-specific one.

Findings

#	Priority	File	Finding
1		builtins/internal/winnet/winnet_windows.go:157	Windows IPv6 TCP state read from wrong struct offset
2		builtins/internal/winnet/winnet_windows.go:174	Windows IPv6 TCP local IP reads bytes 4-19 instead of 0-15
3		builtins/internal/winnet/winnet_windows.go:177	Windows IPv6 TCP remote port reads dwRemoteScopeId (offset 40) instead of dwRemotePort (offset 44)
4		builtins/internal/winnet/winnet_windows.go:230	Windows IPv6 UDP port reads dwLocalScopeId (offset 16) instead of dwLocalPort (offset 20)
5		allowedsymbols/symbols_builtins.go:348	unix.SysctlRaw added to global allow-list; should be ss-only
6		builtins/internal/winnet/winnet_windows.go:95	callExtendedTable retry loop lacks a guard against size not growing

Positive Observations

• Sandbox integrity maintained on Linux: every /proc/net/ file open goes through callCtx.OpenFile, not os.Open — the critical invariant is upheld.
• Memory safety: bufio.Scanner with MaxLineBytes cap, ctx.Err() checked at every iteration on Linux, and the 64 MiB cap on the Windows DLL grow-loop.
• GTFOBins flag blocking: -F/--filter (arbitrary file read), -p (PID disclosure), -K (socket kill), -E (infinite event stream), -N (namespace pivot) are all explicitly rejected.
• Test depth: Linux parse helpers have fuzz + unit + scenario tests; pentest tests cover all rejected flags; filterEntry/isListening have comprehensive unit tests.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e150455049

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[thieman]

[Claude Sonnet 4.6] Addressed all review feedback from the iteration 1 self-review:

Fixed (commit c4c4de9):

• Windows IPv6 TCP state read from offset 0 → fixed to offset 48 (dwState position in MIB_TCP6ROW_OWNER_PID)
• Windows IPv6 TCP local IP read from offset +4 → fixed to offset +0 (ucLocalAddr starts at byte 0)
• Windows IPv6 TCP remote port read from offset +40 → fixed to offset +44 (dwRemotePort position)
• Windows IPv6 UDP local port read from offset +16 → fixed to offset +20 (dwLocalPort position in MIB_UDP6ROW_OWNER_PID)
• P3: Added prevSize guard in callExtendedTable to prevent infinite retry if DLL does not grow buffer size

Not actionable:

• unix.SysctlRaw in global allow-list: the allowedsymbols checker requires any per-command symbol to also appear in builtinAllowedSymbols — removing it from the global list causes TestBuiltinPerCommandSymbols to fail. The current placement is correct.
• GHAS alert at ss_linux.go:162: false positive — the cast is byte (uint8) → uint16 which is a widening conversion, not a narrowing one.

[thieman]

@codex review this PR

Important: Read the SPECS section of the PR description. If SPECS are present: make sure the implementation matches ALL the specs.
The specs override other instructions (code, inline comments in code, etc). ALL specs MUST be implemented.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c4c4de95ec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[thieman]

Self-review (iteration 2)

Overall assessment: needs fixes — one P1 correctness bug and two P2 issues.

Summary

#	Priority	File	Finding
1		builtins/ss/ss_linux_parse_test.go:177	Wrong expected value in TestFormatIPv6LongestZeroRunPicked — will fail Linux CI
2		tests/scenarios/cmd/ss/output/summary.yaml (and 3 others)	Linux sandbox blocks /proc/net/; ss will return exit 1 but scenarios expect exit 0
3		builtins/internal/winnet/winnet_windows.go:62	Collect() silently drops DLL call errors; ss returns exit 0 with empty output when all calls fail

[thieman]

Review Summary

This PR adds the ss builtin command for network socket statistics. It is well-structured: Linux reads /proc/net/ through the sandbox, macOS uses sysctl (no file I/O), and Windows uses iphlpapi.dll with a narrow unsafe.Pointer exception isolated in builtins/internal/winnet/. Dangerous flags (-F, -p, -K, -E, -N, -b, -r) are all correctly blocked. The sandbox invariant is upheld — ss_linux.go uses callCtx.OpenFile exclusively, not os.Open. The security fixes from iterations 1 and 2 (IPv6 parse test, unixStateMap hex keys, Collect() error propagation, /proc/net sandbox allowance) are all correct.

Overall assessment: safe to merge with minor fixes noted below.

---

Findings

#	Priority	File	Finding
1		builtins/internal/winnet/winnet_windows.go:280	UDP6 remote peer address hardcoded to "0.0.0.0" instead of "::"
2		builtins/ss/ss.go:151	numericAddrs field stored but never read — -n flag is a no-op
3		builtins/ss/ss_darwin.go:13	External import golang.org/x/sys/unix mixed into stdlib import group

---

Positive Observations

• Sandbox invariant upheld: ss_linux.go calls callCtx.OpenFile at both parse sites (lines 238, 328); no direct os.Open usage in any builtin file.
• All GTFOBins vectors blocked: -F/--filter, -p, -K, -E, -N, -b, -r all return exit 1 with a diagnostic, verified by pentest tests.
• Memory safety: Linux uses bufio.Scanner with MaxLineBytes cap and ctx.Err() check in every scan loop. macOS bounds-checks every sysctl offset. Windows caps the grow-loop at 64 MiB and guards against non-increasing buffer size from a misbehaving DLL.
• unixStateMap keys correctly use uppercase two-hex-digit strings ("01", "0A") matching the kernel %02X format — the iteration 2 fix is correct.
• Collect() error propagation in winnet_windows.go now correctly propagates the first error when all sub-collections fail, while still returning partial results when some succeed.
• Scenario test harness change is correct: absolute paths that don't exist on the current OS (e.g. /proc/net on macOS) are silently skipped, and the nil sandbox handles file-open calls safely via nil-receiver method guard in sandbox.resolve().
• fuzz corpus is well-seeded with boundary values, CVE-class inputs, and all flag names.

---

Spec Coverage

No SPECS section in PR description. All documented flags are implemented and tested.

Test Coverage

Code path	Scenario test	Go test	Status
-F/--filter blocked	flags/rejected_flags.yaml	ss_test.go, pentest_test.go	Covered
-p/-K/-E/-N blocked	—	ss_test.go, pentest_test.go	Covered
-an outputs header	output/header_present.yaml	ss_linux_test.go	Covered
-H suppresses header	output/no_header.yaml	ss_linux_test.go	Covered
-s summary	output/summary.yaml	ss_linux_test.go	Covered
Linux proc access denied	—	ss_linux_test.go:TestSSLinuxProcNetAccessDenied	Covered
IPv4/IPv6 parsing	—	ss_linux_parse_test.go (full suite)	Covered
filterEntry / isListening	—	ss_helpers_test.go (full suite)	Covered
Windows UDP6 RemoteIP "0.0.0.0"	—	—	Missing (P2 bug)
-n numeric flag effect	—	—	Not tested (no-op, P3)

[thieman]

@codex review this PR

Important: Read the SPECS section of the PR description. If SPECS are present: make sure the implementation matches ALL the specs.
The specs override other instructions (code, inline comments in code, etc). ALL specs MUST be implemented.

[thieman]

Iteration 3 self-review result: COMMENT

• 0 × P0, 0 × P1, 1 × P2, 2 × P3
• All iteration 2 fixes (IPv6 test, unixStateMap hex keys, Collect() error propagation, /proc/net sandbox paths) confirmed correct.

Findings:

• P2: winnet_windows.go:280 — UDP6 RemoteIP hardcoded to "0.0.0.0" instead of "::" for IPv6 sockets (Windows-only display issue, not security-impacting)
• P3: ss.go:151 — numericAddrs field stored but never read; -n flag is a no-op (behavior accidentally correct since output is always numeric)
• P3: ss_darwin.go:13 — external import mixed into stdlib import group (gofmt style)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5936cb29d3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[thieman]

Review Summary

Reviewed feat(ss): implement ss socket statistics builtin — a new ss builtin that reads kernel socket state directly on Linux (/proc/net/), macOS (sysctl), and Windows (iphlpapi.dll).

Overall assessment: safe to merge. No P0/P1 findings. The implementation correctly enforces sandbox boundaries, blocks all dangerous flags (GTFOBins vectors, PID disclosure, socket kill, infinite event streams, namespace switching), and has thorough test coverage including pentest and fuzz tests.

---

Findings Summary

#	Priority	File	Finding
1		builtins/internal/winnet/winnet_windows.go:96	Hardcoded buffer-size literal diverges from exported MaxWinBufSize constant
2		builtins/ss/ss_darwin.go	formatIPv6FromBytes duplicates the same algorithm as formatIPv6 in ss_linux.go
3		builtins/ss/ss_windows.go	Windows pre-filters entries before filterEntry(), inconsistent with Linux/macOS approach

---

Security

Sandbox integrity: PASS. All file access on Linux goes through callCtx.OpenFile() (the sandbox wrapper), never os.Open. The macOS path uses unix.SysctlRaw (no filesystem access). The Windows path uses iphlpapi.dll isolated in builtins/internal/ — the allowedsymbols checker correctly skips internal/, and the unsafe exception is well-documented and minimal.

Dangerous flag blocking: PASS. -F/--filter (GTFOBins file-read), -p (PID disclosure), -K (socket kill), -E (infinite event stream), -N (namespace switch), -b (BPF), -r (DNS resolve) are all blocked with exit 1. Pentest tests verify all of these.

Resource exhaustion: PASS. Linux /proc/net/ is read line-by-line with a 1 MiB per-line cap (MaxLineBytes). Context cancellation is checked at the top of each scan loop. The macOS path is bounded by kernel-returned data. The Windows grow-loop is capped at 64 MiB.

Integer safety: PASS. The Windows entry iteration computes off = 4 + i*entrySize in uint32 arithmetic, which could theoretically wrap. However, the bounds check int(off)+int(entrySize) > len(data) correctly prevents any out-of-bounds memory access — at worst, a misbehaving DLL could cause iteration to revisit already-seen offsets, producing duplicate entries bounded by the 64 MiB cap, not an unbounded allocation.

---

Test Coverage

Code path	Scenario test	Go test	Status
Rejected flags (-F, -p, -K, -E, -N)	flags/rejected_flags.yaml	ss_test.go, builtin_ss_pentest_test.go	Covered
Unknown flags	flags/unknown_flag.yaml	ss_test.go	Covered
Help output	flags/help.yaml, flags/help_short.yaml	ss_test.go	Covered
Exit code 0 on success	flags/exit_code_success.yaml	—	Covered
Header present / suppressed	output/header_present.yaml, output/no_header.yaml	ss_linux_test.go	Covered
Summary mode	output/summary.yaml	ss_linux_test.go	Covered
Filter logic (protocol/IP version/listen)	—	ss_helpers_test.go	Covered
Linux /proc/net/ access grant/deny	—	ss_linux_test.go	Covered
Linux IPv4/IPv6 parsing	—	ss_linux_parse_test.go, ss_linux_fuzz_test.go	Covered
Context cancellation	—	builtin_ss_pentest_test.go	Covered
Flag fuzzing	—	builtins/tests/ss/ss_fuzz_test.go	Covered

Overall coverage: Adequate.

---

Positive Observations

• Clean three-platform split with no shared unsafe code: Linux uses the sandbox file API, macOS uses a pure sysctl call, Windows isolates unsafe DLL calls in builtins/internal/.
• The allowedsymbols test correctly skips internal/ with an explicit comment explaining why — this is the right pattern.
• Context cancellation is checked at the top of every scan loop in the Linux implementation.
• The MaxLineBytes = 1 MiB cap on the bufio.Scanner prevents memory exhaustion from adversarial /proc/net/ data.
• The GTFOBins attack vector (ss -F /etc/passwd) is explicitly documented and tested with both short and long flag forms.
• Fuzz tests for the Linux parsing helpers with a rich seed corpus covering CVE-class inputs.
• The numericAddrs field has a clear comment explaining it is accepted for compatibility but is a no-op.
• The stale backtick_substitution.yaml and command_substitution.yaml scenario files were correctly removed.

[thieman]

@codex review this PR

Important: Read the SPECS section of the PR description. If SPECS are present: make sure the implementation matches ALL the specs.
The specs override other instructions (code, inline comments in code, etc). ALL specs MUST be implemented.

[thieman]

Iteration 4 self-review result: COMMENT (effectively APPROVE)

• 0 × P0, 0 × P1, 0 × P2, 3 × P3 (all style/refactoring suggestions)
• Overall assessment: safe to merge
• All iteration 3 fixes (UDP6 RemoteIP, numericAddrs comment, import grouping, stale test removal) confirmed correct

P3 Findings (non-blocking):

• P3: winnet_windows.go:96 — 64<<20 literal should reference MaxWinBufSize constant (style)
• P3: ss_darwin.go:395 — formatIPv6FromBytes duplicates algorithm from ss_linux.go (code duplication)
• P3: ss_windows.go:47 — Windows filters before filterEntry() (inconsistent approach, behavior correct)

Security review: all invariants hold (sandbox, blocked flags, resource limits).

[thieman]

Review Summary

Scope: Full review of PR #106 — feat(ss): implement ss socket statistics builtin. This is iteration 5 of the review loop.

This PR implements a new ss builtin that reads network socket state directly from the kernel without executing any external binary. The implementation is cross-platform (Linux/macOS/Windows) and has received extensive hardening across multiple iterations.

Overall assessment: safe to merge. The implementation correctly sandboxes all file I/O through callCtx.OpenFile, blocks all known dangerous flags, and is covered by unit tests, pentest tests, fuzz tests, and YAML scenario tests. One low-severity hardening opportunity is noted below.

---

Spec Coverage

No SPECS section is present in the PR description. The supported and rejected flags are documented inline in the PR body and in the package-level doc comment.

---

Findings Summary

#	Priority	File	Finding
1		builtins/internal/winnet/winnet_windows.go:184	uint32 multiply overflow in TCP/UDP entry loop when numEntries is adversarially large

---

Findings

uint32 multiply overflow in Windows socket entry loop

Severity: P3 — Hardening / Correctness

Location: builtins/internal/winnet/winnet_windows.go:184–186 (TCP), 263–265 (UDP)

Description:

In collectTCP and collectUDP, the loop offset is computed as:

off := 4 + i*entrySize  // both i and entrySize are uint32

If numEntries is unexpectedly large (e.g. MaxUint32), the multiplication i*entrySize will eventually overflow uint32. After overflow, off wraps to a small value that passes the downstream bounds check if int(off)+int(entrySize) > len(data), causing the loop to re-read already-processed portions of the buffer as if they were new entries.

Evidence:

• With entrySize=24 (IPv4 TCP), overflow first occurs at i ≈ 178,956,971. At that point off wraps back to 12, which is safely within a 64 MiB buffer and passes the bounds check.
• With entrySize=56 (IPv6 TCP), overflow occurs at i ≈ 76,695,845.
• The Windows buffer cap is 64 MiB (MaxBufSize). A legitimate table cannot hold MaxUint32 24-byte entries (that would require ~96 GiB). In practice, no valid DLL response can trigger this. The risk is limited to a misbehaving or maliciously-patched DLL, which is already outside the threat model.

Remediation:

Add a numEntries sanity cap before the loop, e.g.:

// Cap numEntries to prevent integer overflow in the offset computation.
// A legitimate Windows socket table cannot hold more than MaxBufSize/entrySize entries.
maxPossible := uint32(MaxBufSize) / entrySize
if numEntries > maxPossible {
    numEntries = maxPossible
}

This eliminates the overflow entirely without changing any observable behaviour for well-formed DLL responses.

---

Coverage Table

Code path	Scenario test	Go test	Status
-F/--filter rejected (GTFOBins)	tests/scenarios/cmd/ss/flags/rejected_flags.yaml	TestSSRejectedFlagF, TestSSPentestGTFObinsFilterShort	Covered
-p/-K/-E/-N rejected	—	TestSSPentestProcessesFlag, TestSSPentestKillFlag, etc.	Covered
Unknown flag rejected	flags/unknown_flag.yaml	TestSSUnknownFlag	Covered
-h/--help	flags/help.yaml, flags/help_short.yaml	TestSSHelp, TestSSHelpLong	Covered
-an (all + numeric)	flags/exit_code_success.yaml, output/header_present.yaml	TestSSLinuxProcNetAccessGranted	Covered
-H (no header)	output/no_header.yaml	TestSSLinuxNoHeader	Covered
-s (summary)	output/summary.yaml	TestSSLinuxSummary	Covered
-t TCP only	—	TestSSLinuxTCPOnly	Covered
-4 IPv4 only	—	TestSSLinuxIPv4Only, TestFilterEntryIPv4OnlyDropsTCP6	Covered
-6 IPv6 only	—	TestFilterEntryIPv6OnlyDropsTCP4	Covered
-4 -6 combined (OR)	—	TestFilterEntryIPv4OnlyDropsTCP6 (implicit)	Covered
-e extended (uid/inode)	—	TestSSLinuxExtended	Covered
-l listen-only	—	TestFilterEntryListenOnly	Covered
-a show-all	—	TestFilterEntryShowAll	Covered
Sandbox: /proc/net denied	—	TestSSLinuxProcNetAccessDenied	Covered
Linux IPv4 address parsing	—	TestParseIPv4ProcLoopback, fuzz	Covered
Linux IPv6 address parsing	—	TestParseIPv6ProcLoopback, fuzz	Covered
Windows uint32 overflow path	—	—	Not covered (P3 above)
Context cancellation	—	TestSSPentestCancelledContext, TestSSLinuxContextCancelledBeforeRun	Covered
macOS sysctl parsing	—	TestSSAllFlagCombinations (live)	Covered (live only)

Coverage assessment: Adequate. The uncovered path (Windows integer overflow) is a theoretical hardening issue on a trusted code path, not a functional gap.

---

Positive Observations

• Sandbox integrity is solid. Linux reads exclusively use callCtx.OpenFile(ctx, path, os.O_RDONLY, 0) — never os.Open or any direct filesystem access. The sandbox cannot be bypassed.
• All dangerous flags are explicitly not registered, not registered-and-rejected. pflag rejects unrecognised flags automatically, so there is no code path that silently accepts a dangerous flag.
• The internal/ package isolation for unsafe code is correct and well-documented. The allowedsymbols check is adjusted to skip internal/ for exactly this reason.
• golang.org/x/sys/unix.SysctlRaw is the only unix.* symbol used on macOS, and it's correctly whitelisted by function name (not package).
• Buffer overflow protection on Windows: the grow-loop is capped at MaxBufSize = 64 MiB and the size <= prevSize guard prevents infinite retries from a non-cooperative DLL.
• Context cancellation is checked at the right granularity: per-line for Linux (streaming), per-protocol-block for macOS (atomic sysctl), and at entry for Windows (single API call).
• Fuzz coverage on all parsing helpers (FuzzSSFlags, FuzzParseIPv4Proc, FuzzParseIPv6Proc, FuzzFormatIPv6, FuzzParsePortProc) is comprehensive.
• Deleted test scenarios (blocked_commands/builtins_and_features/command_substitution.yaml, backtick_substitution.yaml) are correctly removed — command substitution was implemented in PR #93 and those tests are now superseded by the tests/scenarios/shell/command_substitution/ tree.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed0e1262e4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[thieman]

@codex review this PR

Important: Read the SPECS section of the PR description. If SPECS are present: make sure the implementation matches ALL the specs.
The specs override other instructions (code, inline comments in code, etc). ALL specs MUST be implemented.

[thieman]

Iteration 5 self-review result: COMMENT (safe to merge)

• 0 × P0, 0 × P1, 0 × P2, 1 × P3
• Overall assessment: safe to merge
• All iteration 4 fixes (combined -4/-6 filter bug, MaxBufSize constant, comments) confirmed correct.

P3 Finding:

• P3: winnet_windows.go:185 — uint32 multiply overflow in TCP/UDP entry loop if numEntries is adversarially large (requires misbehaving iphlpapi.dll, outside threat model). Fix: cap numEntries to MaxBufSize/entrySize.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 94b9050fc6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[thieman]

Review Summary

This PR implements the ss builtin command to display network socket statistics. The overall architecture is well-designed: platform-specific implementations are cleanly separated, dangerous flags are blocked, file access goes through the sandbox on Linux, and memory safety measures (scanner caps, buffer limits, overflow guards) are in place. Tests are comprehensive including fuzz tests and pentest scenarios.

However, there is one P1 correctness bug that must be fixed before merging: the darwinTCPStates map in ss_darwin.go uses the Linux tcp_states enum ordering instead of the XNU tcp_fsm.h TCPS_* enum ordering. As a result, TCP states 5–10 are reported with the wrong names on macOS (e.g., CLOSE-WAIT is shown as FIN-WAIT-1, FIN-WAIT-1 as FIN-WAIT-2, etc.).

There is also one P2 hardening suggestion for the Windows callExtendedTable buffer slice.

Assessment: needs fixes (P1 bug)

Findings

#	Priority	File	Finding
1		builtins/ss/ss_darwin.go:92	darwinTCPStates uses Linux tcp_states enum ordering instead of XNU TCPS_* — states 5–10 are wrong
2		builtins/internal/winnet/winnet_windows.go:118	buf[:size] could panic if a misbehaving DLL sets size > prevSize on success

Spec Coverage

No SPECS section in PR description — spec coverage check skipped.

Test Coverage

Code path	Scenario test	Go test	Status
Flag rejection (-F, -p, -K, -E, -N, -r, -b)	flags/rejected_flags.yaml	builtin_ss_pentest_test.go	Covered
Help flag (-h/--help)	flags/help.yaml, flags/help_short.yaml	ss_test.go	Covered
Unknown flag	flags/unknown_flag.yaml	ss_test.go	Covered
Header present / -H suppression	output/header_present.yaml, output/no_header.yaml	ss_linux_test.go	Covered
Summary (-s)	output/summary.yaml	ss_linux_test.go	Covered
Linux /proc/net sandbox enforcement	—	ss_linux_test.go	Covered
IPv4/IPv6 parsing helpers	—	ss_linux_parse_test.go + fuzz	Covered
darwinTCPStates mapping correctness	—	Missing — no test verifies state name output on macOS
filterEntry logic	—	ss_helpers_test.go	Covered
Windows iphlpapi.dll integration	—	Not testable without Windows	Covered (platform)

Overall coverage: Adequate except for the macOS TCP state name bug which has no test catching it.

[thieman]

@codex review this PR

Important: Read the SPECS section of the PR description. If SPECS are present: make sure the implementation matches ALL the specs.
The specs override other instructions (code, inline comments in code, etc). ALL specs MUST be implemented.

[thieman]

Iteration 6 self-review result: COMMENT

• 0 × P0, 1 × P1, 1 × P2, 0 × P3

P1: ss_darwin.go:92 — darwinTCPStates map uses wrong enum ordering
Values 5–10 use Linux tcp_states ordering instead of XNU TCPS_* ordering. CLOSE_WAIT shows as FIN-WAIT-1, FIN-WAIT-1 shows as FIN-WAIT-2, etc.

P2: winnet_windows.go:118 — buf[:size] needs defensive bounds check
After successful DLL call, if misbehaving DLL sets size > prevSize, a bounds panic is possible. Simple if int(size) > len(buf) guard would prevent this.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f24de4c529

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[thieman]

This is a comprehensive implementation of ss as a rshell builtin. The review covers all dimensions.

Summary

Reviewed: ss builtin for Linux (/proc/net/), macOS (sysctl), Windows (iphlpapi.dll), plus tests, fuzz harnesses, and a narrow unsafe exception isolated in builtins/internal/winnet/.

Overall assessment: safe to merge. No P0 or P1 findings. All previous review threads appear resolved. The implementation correctly blocks all dangerous flags (-F/--filter, -p, -K, -E, -N, -r, -b), uses callCtx.OpenFile() exclusively for filesystem access on Linux (never os.Open), confines the unsafe.Pointer exception to a single isolated package, and passes all tests.

---

Finding Summary

#	Priority	File	Finding
1		builtins/ss/ss_windows.go:20	Context cancellation checked only once before DLL calls; large result sets are not interruptible
2		builtins/ss/ss_darwin.go:36-65	IPv6/UDP6 sysctl failures silently swallowed; genuine errors indistinguishable from unavailable sysctl

---

Security

Verified clean:

• No direct os.Open / os.Stat / os.ReadFile calls in any ss package file. Linux uses callCtx.OpenFile() exclusively.
• macOS uses unix.SysctlRaw (no filesystem, no exec). Windows DLL call is strictly read-only (GetExtendedTcpTable / GetExtendedUdpTable).
• All GTFOBins-relevant flags rejected: -F/--filter, -p, -K, -E, -N, -r, -b.
• unsafe.Pointer confined to builtins/internal/winnet/ which is excluded from the allowedsymbols checker — scope and rationale are clearly documented.
• No path traversal vectors: Linux paths are hardcoded constants, not user-supplied.
• golang.org/x/sys/unix.SysctlRaw correctly added to builtinAllowedSymbols.
• Windows buffer grow-loop capped at 64 MiB. Entry count capped at MaxBufSize/entrySize. No integer overflow on 32-bit or 64-bit.
• bufio.Scanner capped at MaxLineBytes = 1 MiB for /proc/net/ parsing.
• ctx.Err() checked at the top of every Linux scan loop.

Correctness

Field indices in parseProcNetIP: Linux /proc/net/tcp fields sl(0) local_addr(1) rem_addr(2) st(3) tx_q:rx_q(4) tr:tm(5) retrnsmt(6) uid(7) timeout(8) inode(9). Code reads uid=fields[7], inode=fields[9], requires len(fields) >= 10. Correct.

sendQ/recvQ: fields[4] = tx_queue:rx_queue. sendQ = qParts[0] (tx), recvQ = qParts[1] (rx). printEntry prints Recv-Q then Send-Q as e.recvQ, e.sendQ. Correct.

Darwin TCP state map: Matches XNU TCPS_* enum (fixed in iteration 6). Correct.

Windows TCP state map: Matches MIB_TCP_STATE (1=CLOSE through 12=DELETE_TCB). Correct.

Windows bounds: int(off)+int(entrySize) > len(data) guard before every field read. All binary.LittleEndian.Uint32 calls are within bounds given the preceding guard. Safe.

hasExtended guard: uid/inode only printed when e.hasExtended is true, correctly suppressing uid:0 inode:0 on non-Linux platforms (fixed in iteration 6). Correct.

Scenario test deletions: backtick_substitution.yaml and command_substitution.yaml deleted because command substitution is now implemented (PR #93). Replacement scenarios present in tests/scenarios/shell/command_substitution/. Correct.

scenarios_test.go change: When allowed_paths: ["/proc/net"] and /proc/net does not exist (macOS/Windows), resolved is empty and no AllowedPaths option is set (sandbox=nil). On those platforms ss uses sysctl/DLL (no file access), so the nil sandbox is harmless and correct.

Test Coverage

Code path	Scenario test	Go test	Status
Dangerous flags blocked	flags/rejected_flags.yaml	ss_test.go, pentest_test.go	Covered
Unknown flag → exit 1	flags/unknown_flag.yaml	ss_test.go	Covered
Help output	flags/help.yaml, flags/help_short.yaml	ss_test.go	Covered
Exit 0 on success	flags/exit_code_success.yaml	—	Covered
Header present / -H suppression	output/header_present.yaml, output/no_header.yaml	ss_linux_test.go	Covered
Summary mode (-s)	output/summary.yaml	ss_linux_test.go	Covered
/proc/net access denied	—	ss_linux_test.go:TestSSLinuxProcNetAccessDenied	Covered
-4/-6 IP version filter	—	ss_helpers_test.go, ss_linux_test.go	Covered
-t/-u/-x protocol filter	—	ss_helpers_test.go	Covered
-a/-l state filter	—	ss_helpers_test.go	Covered
-e extended info (Linux)	—	ss_linux_test.go:TestSSLinuxExtended	Covered
Flag injection via expansion	—	pentest_test.go	Covered
Fuzz: flag combinations	—	ss_fuzz_test.go:FuzzSSFlags	Covered
Fuzz: IPv4/IPv6/port parsing	—	ss_linux_fuzz_test.go	Covered
Context cancellation	—	pentest_test.go, ss_linux_test.go	Covered

P3 Findings (informational, do not block merge)

Finding 1: Windows context not checked during entry-conversion loop

Context cancellation not checked during Windows entry-conversion loop

In ss_windows.go, ctx.Err() is checked once at the top before winnet.Collect(). The subsequent loop converting winnet.SocketEntry → socketEntry is CPU-bound and not interruptible. Risk is low since entry count is capped at MaxBufSize/entrySize in the collector. Minor divergence from the Linux/Darwin pattern.

Finding 2: Darwin IPv6/UDP6 sysctl errors silently dropped

Darwin IPv6/UDP6 sysctl failures silently swallowed

In ss_darwin.go, collectSysctlTCP("net.inet6.tcp6.pcblist_n", ...) and collectSysctlUDP("net.inet6.udp6.pcblist_n", ...) errors are discarded with _ = err. This correctly handles systems where IPv6 is unavailable, but also silently drops genuine failures (e.g., permission errors). The partial output will be returned without a diagnostic. Low risk since sysctl keys are read-only.

Positive Observations

• builtins/internal/ isolation for the Windows unsafe exception is well-designed and clearly documented.
• winnet.SocketEntry exposes only minimum necessary fields — no PID, no process name.
• All three platform implementations share filterEntry, printEntry, printHeader, printSummary — excellent reuse.
• hasExtended bool guard elegantly prevents misleading output on non-Linux platforms.
• recLen == 0 sentinel handling in Darwin sysctl parser correctly handles the 4-byte zero sentinels between connection groups.
• Fuzz coverage is thorough: flag input fuzzing plus four parser-level fuzz functions for Linux.

[thieman]

@codex review this PR

Important: Read the SPECS section of the PR description. If SPECS are present: make sure the implementation matches ALL the specs.
The specs override other instructions (code, inline comments in code, etc). ALL specs MUST be implemented.

[thieman]

Iteration 7 self-review result: COMMENT (safe to merge)

• 0 × P0, 0 × P1, 0 × P2, 2 × P3 (informational)
• All iteration 6 fixes confirmed correct (darwinTCPStates enum, bounds check, hasExtended guard)
• Overall: safe to merge

P3 findings (non-blocking):

• P3: ss_windows.go:20 — Context cancellation checked only once; entry loop not interruptible (bounded, low risk)
• P3: ss_darwin.go:36 — IPv6/UDP6 sysctl failures silently swallowed (correct behavior, no diagnostic)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1024a3af2d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Parse /proc timer field before emitting -o output

This parser only extracts tx_queue:rx_queue from fields[4] and never reads the timer column (tr:tm->when), so socketEntry.timer stays empty for Linux entries. Because printEntry falls back to timer:(off) when the timer string is empty, ss -o will misreport active timers (for example TIME-WAIT sockets) as off, which breaks the advertised -o behavior.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid emitting fake uid for Unix sockets with -e

parseProcNetUnix sets hasExtended: true even though it never parses a UID from /proc/net/unix; the uid field therefore remains the zero value. With -e, this causes Unix rows to print uid:0 inode:..., which fabricates UID data instead of indicating that UID is unavailable for that record format.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep AllowedPaths enforcement when resolution yields none

When all configured absolute allowed_paths are absent on the current OS, this branch skips interp.AllowedPaths entirely. That changes the scenario from a restricted run to an unrestricted run, so cross-platform scenario tests can accidentally pass while accessing files they were meant to be sandboxed away from.

Useful? React with 👍 / 👎.