refactor(hooks): align HTTP hook security with Claude Code behavior

- Add CRLF/NUL sanitization for env var interpolation (header injection)
- Implement combined abort signal (external signal + timeout)
- Upgrade SSRF protection to DNS-level with ssrfGuard
  - Allow loopback (127.0.0.0/8, ::1) for local dev hooks
  - Block CGNAT (100.64.0.0/10) and IPv6 private ranges
- Increase default HTTP hook timeout to 10 minutes
- Fix VS Code hooks schema to support http type
  - Add url, headers, allowedEnvVars, async, once, statusMessage, shell fields
  - Note: "function" type is SDK-only (callback cannot be serialized to JSON)

Author: DennisYu07

packages/cli/src/config/settingsSchema.ts

@@ -131,18 +131,31 @@ const HOOK_DEFINITION_ITEMS: SettingItemDefinition = {
       items: {
         type: 'object',
         description:
-          'A hook configuration entry that defines a command to execute.',
+          'A hook configuration entry that defines a hook to execute.',
         properties: {
           type: {
             type: 'string',
-            description: 'The type of hook.',
-            enum: ['command'],
+            description: 'The type of hook. Note: "function" type is only available via SDK registration, not settings.json.',
+            enum: ['command', 'http'],
             required: true,
           },
           command: {
             type: 'string',
-            description: 'The command to execute when the hook is triggered.',
-            required: true,
+            description: 'The command to execute when the hook is triggered. Required for "command" type.',
+          },
+          url: {
+            type: 'string',
+            description: 'The URL to send the POST request to. Required for "http" type.',
+          },
+          headers: {
+            type: 'object',
+            description: 'HTTP headers to include in the request. Supports env var interpolation ($VAR, ${VAR}).',
+            additionalProperties: { type: 'string' },
+          },
+          allowedEnvVars: {
+            type: 'array',
+            description: 'List of environment variables allowed for interpolation in headers and URL.',
+            items: { type: 'string' },
           },
           name: {
             type: 'string',
@@ -154,14 +167,31 @@ const HOOK_DEFINITION_ITEMS: SettingItemDefinition = {
           },
           timeout: {
             type: 'number',
-            description: 'Timeout in milliseconds for the hook execution.',
+            description: 'Timeout in seconds for the hook execution.',
           },
           env: {
             type: 'object',
             description:
               'Environment variables to set when executing the hook command.',
             additionalProperties: { type: 'string' },
           },
+          async: {
+            type: 'boolean',
+            description: 'Whether to execute the hook asynchronously (non-blocking, for "command" type only).',
+          },
+          once: {
+            type: 'boolean',
+            description: 'Whether to execute the hook only once per session (for "http" type).',
+          },
+          statusMessage: {
+            type: 'string',
+            description: 'A message to display while the hook is executing.',
+          },
+          shell: {
+            type: 'string',
+            description: 'The shell to use for command execution.',
+            enum: ['bash', 'powershell'],
+          },
         },
       },
     },

packages/core/src/hooks/combinedAbortSignal.test.ts

@@ -0,0 +1,91 @@
+/**
+ * @license
+ * Copyright 2026 Qwen Team
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { describe, it, expect } from 'vitest';
+import { createCombinedAbortSignal } from './combinedAbortSignal.js';
+
+describe('createCombinedAbortSignal', () => {
+  it('should return a non-aborted signal by default', () => {
+    const { signal, cleanup } = createCombinedAbortSignal();
+    expect(signal.aborted).toBe(false);
+    cleanup();
+  });
+
+  it('should abort after timeout', async () => {
+    const { signal, cleanup } = createCombinedAbortSignal(undefined, {
+      timeoutMs: 50,
+    });
+    expect(signal.aborted).toBe(false);
+
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    expect(signal.aborted).toBe(true);
+    cleanup();
+  });
+
+  it('should abort when external signal is aborted', () => {
+    const externalController = new AbortController();
+    const { signal, cleanup } = createCombinedAbortSignal(
+      externalController.signal,
+    );
+    expect(signal.aborted).toBe(false);
+
+    externalController.abort();
+    expect(signal.aborted).toBe(true);
+    cleanup();
+  });
+
+  it('should abort immediately if external signal is already aborted', () => {
+    const externalController = new AbortController();
+    externalController.abort();
+
+    const { signal, cleanup } = createCombinedAbortSignal(
+      externalController.signal,
+    );
+    expect(signal.aborted).toBe(true);
+    cleanup();
+  });
+
+  it('should cleanup timeout timer', async () => {
+    const { signal, cleanup } = createCombinedAbortSignal(undefined, {
+      timeoutMs: 50,
+    });
+
+    cleanup();
+
+    // Wait longer than timeout - should not abort because timer was cleared
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    expect(signal.aborted).toBe(false);
+  });
+
+  it('should work with both external signal and timeout', async () => {
+    const externalController = new AbortController();
+    const { signal, cleanup } = createCombinedAbortSignal(
+      externalController.signal,
+      { timeoutMs: 200 },
+    );
+
+    // Abort external signal before timeout
+    externalController.abort();
+    expect(signal.aborted).toBe(true);
+    cleanup();
+  });
+
+  it('should timeout before external signal', async () => {
+    const externalController = new AbortController();
+    const { signal, cleanup } = createCombinedAbortSignal(
+      externalController.signal,
+      { timeoutMs: 50 },
+    );
+
+    // Wait for timeout
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    expect(signal.aborted).toBe(true);
+
+    // External signal is still not aborted
+    expect(externalController.signal.aborted).toBe(false);
+    cleanup();
+  });
+});

packages/core/src/hooks/combinedAbortSignal.ts

@@ -0,0 +1,52 @@
+/**
+ * @license
+ * Copyright 2026 Qwen Team
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * Create a combined AbortSignal that aborts when either:
+ * - The provided external signal is aborted, OR
+ * - The timeout is reached
+ *
+ * @param externalSignal - Optional external AbortSignal to combine
+ * @param timeoutMs - Timeout in milliseconds
+ * @returns Object containing the combined signal and a cleanup function
+ */
+export function createCombinedAbortSignal(
+  externalSignal?: AbortSignal,
+  options?: { timeoutMs?: number },
+): { signal: AbortSignal; cleanup: () => void } {
+  const controller = new AbortController();
+
+  const timeoutMs = options?.timeoutMs;
+
+  // Set up timeout
+  let timeoutId: ReturnType<typeof setTimeout> | undefined;
+  if (timeoutMs !== undefined && timeoutMs > 0) {
+    timeoutId = setTimeout(() => {
+      controller.abort();
+    }, timeoutMs);
+  }
+
+  // Listen to external signal
+  if (externalSignal) {
+    if (externalSignal.aborted) {
+      controller.abort();
+    } else {
+      const abortHandler = () => {
+        controller.abort();
+      };
+      externalSignal.addEventListener('abort', abortHandler, { once: true });
+    }
+  }
+
+  const cleanup = () => {
+    if (timeoutId !== undefined) {
+      clearTimeout(timeoutId);
+      timeoutId = undefined;
+    }
+  };
+
+  return { signal: controller.signal, cleanup };
+}

packages/core/src/hooks/envInterpolator.test.ts

@@ -11,6 +11,7 @@ import {
   interpolateUrl,
   hasEnvVarReferences,
   extractEnvVarNames,
+  sanitizeHeaderValue,
 } from './envInterpolator.js';
 
 describe('envInterpolator', () => {
@@ -70,6 +71,30 @@ describe('envInterpolator', () => {
       const result = interpolateEnvVars('MY_TOKEN', ['MY_TOKEN']);
       expect(result).toBe('MY_TOKEN');
     });
+
+    it('should sanitize CR characters to prevent header injection', () => {
+      process.env['EVIL_TOKEN'] = 'good\r\nX-Evil: injected';
+      const result = interpolateEnvVars('$EVIL_TOKEN', ['EVIL_TOKEN']);
+      expect(result).toBe('goodX-Evil: injected');
+    });
+
+    it('should sanitize LF characters to prevent header injection', () => {
+      process.env['EVIL_TOKEN'] = 'good\nX-Evil: injected';
+      const result = interpolateEnvVars('$EVIL_TOKEN', ['EVIL_TOKEN']);
+      expect(result).toBe('goodX-Evil: injected');
+    });
+
+    it('should sanitize NUL characters', () => {
+      process.env['EVIL_TOKEN'] = 'good\x00bad';
+      const result = interpolateEnvVars('$EVIL_TOKEN', ['EVIL_TOKEN']);
+      expect(result).toBe('goodbad');
+    });
+
+    it('should sanitize CRLF and NUL combined', () => {
+      process.env['EVIL_TOKEN'] = 'token\r\nX-Injected: 1\x00more';
+      const result = interpolateEnvVars('Bearer $EVIL_TOKEN', ['EVIL_TOKEN']);
+      expect(result).toBe('Bearer tokenX-Injected: 1more');
+    });
   });
 
   describe('interpolateHeaders', () => {
@@ -143,4 +168,30 @@ describe('envInterpolator', () => {
       expect(extractEnvVarNames('plain text')).toEqual([]);
     });
   });
+
+  describe('sanitizeHeaderValue', () => {
+    it('should strip CR characters', () => {
+      expect(sanitizeHeaderValue('token\r\nX-Evil: 1')).toBe('tokenX-Evil: 1');
+    });
+
+    it('should strip LF characters', () => {
+      expect(sanitizeHeaderValue('token\nX-Evil: 1')).toBe('tokenX-Evil: 1');
+    });
+
+    it('should strip NUL characters', () => {
+      expect(sanitizeHeaderValue('good\x00bad')).toBe('goodbad');
+    });
+
+    it('should strip all three dangerous characters', () => {
+      expect(sanitizeHeaderValue('a\r\nb\x00c')).toBe('abc');
+    });
+
+    it('should not affect safe values', () => {
+      expect(sanitizeHeaderValue('Bearer abc123')).toBe('Bearer abc123');
+    });
+
+    it('should handle empty string', () => {
+      expect(sanitizeHeaderValue('')).toBe('');
+    });
+  });
 });

packages/core/src/hooks/envInterpolator.ts

@@ -9,6 +9,19 @@
  * Provides secure interpolation with whitelist-based access control.
  */
 
+/**
+ * Strip CR, LF, and NUL bytes from a header value to prevent HTTP header
+ * injection (CRLF injection) via env var values or hook-configured header
+ * templates. A malicious env var like "token\r\nX-Evil: 1" would otherwise
+ * inject a second header into the request.
+ *
+ * Aligned with Claude Code's sanitizeHeaderValue behavior.
+ */
+export function sanitizeHeaderValue(value: string): string {
+  // eslint-disable-next-line no-control-regex
+  return value.replace(/[\r\n\x00]/g, '');
+}
+
 /**
  * Interpolate environment variables in a string value.
  * Only variables in the allowedVars list will be replaced.
@@ -18,7 +31,7 @@
  *
  * @param value - The string containing environment variable references
  * @param allowedVars - List of allowed environment variable names
- * @returns The interpolated string
+ * @returns The interpolated string (sanitized to prevent header injection)
  */
 /**
  * Dangerous variable names that could be used for prototype pollution attacks
@@ -45,7 +58,7 @@ export function interpolateEnvVars(
   allowedVars: string[],
 ): string {
   // Match $VAR_NAME or ${VAR_NAME}
-  return value.replace(
+  const interpolated = value.replace(
     /\$\{?([A-Za-z_][A-Za-z0-9_]*)\}?/g,
     (match, varName: string) => {
       // Block dangerous variable names to prevent prototype pollution
@@ -59,6 +72,8 @@ export function interpolateEnvVars(
       return '';
     },
   );
+  // Sanitize to prevent CRLF/NUL header injection
+  return sanitizeHeaderValue(interpolated);
 }
 
 /**

packages/core/src/hooks/httpHookRunner.test.ts

@@ -101,10 +101,10 @@ describe('HttpHookRunner', () => {
       expect(mockFetch).not.toHaveBeenCalled();
     });
 
-    it('should fail for blocked URL (SSRF)', async () => {
+    it('should fail for blocked URL (SSRF - link-local metadata)', async () => {
       const runner = new HttpHookRunner([]); // Allow all patterns
       const config = createMockConfig({
-        url: 'http://localhost:8080/hook',
+        url: 'http://169.254.169.254/latest/meta-data',
       });
       const input = createMockInput();
 
@@ -115,10 +115,33 @@ describe('HttpHookRunner', () => {
       );
 
       expect(result.success).toBe(false);
-      expect(result.error?.message).toContain('SSRF');
+      expect(result.error?.message).toContain('blocked');
       expect(mockFetch).not.toHaveBeenCalled();
     });
 
+    it('should ALLOW localhost for local dev hooks', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        headers: new Headers({ 'content-type': 'application/json' }),
+        json: async () => ({ continue: true }),
+      });
+
+      const runner = new HttpHookRunner([]); // Allow all patterns
+      const config = createMockConfig({
+        url: 'http://localhost:8080/hook',
+      });
+      const input = createMockInput();
+
+      const result = await runner.execute(
+        config,
+        HookEventName.PreToolUse,
+        input,
+      );
+
+      expect(result.success).toBe(true);
+      expect(mockFetch).toHaveBeenCalled();
+    });
+
     it('should interpolate environment variables in headers', async () => {
       process.env['MY_TOKEN'] = 'secret-token';