π‘οΈ Sentinel: [HIGH] Fix Terminal Injection via ANSI OSC sequences with ST terminator#157
π‘οΈ Sentinel: [HIGH] Fix Terminal Injection via ANSI OSC sequences with ST terminator#157hongymagic wants to merge 2 commits into
Conversation
β¦h ST terminator * π¨ Severity: HIGH * π‘ Vulnerability: ANSI OSC sequences ending with the String Terminator (ST, \u001B\\) were not matched by the ANSI_REGEX, meaning they bypassed the stripAnsi filter. * π― Impact: A malicious response from an AI model could include an unstripped OSC sequence like `\x1B]8;;http://malicious.com\x1B\\Malicious Link\x1B]8;;\x1B\\` to render disguised hyperlinks or manipulate the terminal. * π§ Fix: Updated the ANSI_REGEX in `src/ansi.ts` to match both `\u0007` (BEL) and `\u001B\\` (ST). * β Verification: Added a test case to `tests/ansi_security.test.ts` to assert that OSC sequences ending with ST are completely stripped. Co-authored-by: hongymagic <302730+hongymagic@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
This PR addresses a high-severity terminal/clipboard sanitization gap where ANSI OSC sequences terminated with the String Terminator (ST) were not fully removed by the existing ANSI stripping regex, allowing OSC payloads (e.g., hyperlinks) to survive sanitization.
Changes:
- Updated
ANSI_REGEXto treat OSC sequences terminated by BEL or ESC\(ST) as strip-worthy. - Added a security regression test asserting OSC hyperlink sequences ending with ESC
\are stripped bysanitizeForClipboard. - Documented the incident and remediation guidance in Sentinelβs journal.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/ansi.ts |
Expands ANSI stripping regex to recognize OSC sequences ending with ST (ESC \). |
tests/ansi_security.test.ts |
Adds a regression test for stripping OSC hyperlinks terminated with ST. |
.jules/sentinel.md |
Records the vulnerability and recommended prevention pattern. |
| const ANSI_REGEX = new RegExp( | ||
| [ | ||
| "[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)", | ||
| "[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?(?:\\u0007|\\u001B\\\\))", |
| const input = "\u001b]8;;http://malicious.com\u001b\\Malicious Link\u001b]8;;\u001b\\"; | ||
| expect(sanitizeForClipboard(input)).toBe("Malicious Link"); | ||
| }); | ||
|
|
| **Vulnerability:** ANSI_REGEX in `src/ansi.ts` failed to match OSC sequences terminated with the String Terminator (ST, `\u001B\\`), leaving them unstripped. `sanitizeForTerminal` then translated `\x1B` to the literal string `\x1B`, meaning the payload was bypassed entirely and printed to the terminal. | ||
| **Learning:** Standard library `ansi-regex` packages and implementations often omit or poorly handle the String Terminator (ST) sequence, assuming OSCs only end in `\x07` (BEL). |
β¦h ST terminator * π¨ Severity: HIGH * π‘ Vulnerability: ANSI OSC sequences ending with the String Terminator (ST, \u001B\\) were not matched by the ANSI_REGEX, meaning they bypassed the stripAnsi filter. * π― Impact: A malicious response from an AI model could include an unstripped OSC sequence like `\x1B]8;;http://malicious.com\x1B\\Malicious Link\x1B]8;;\x1B\\` to render disguised hyperlinks or manipulate the terminal. * π§ Fix: Updated the ANSI_REGEX in `src/ansi.ts` to match both `\u0007` (BEL) and `\u001B\\` (ST). * β Verification: Added a test case to `tests/ansi_security.test.ts` to assert that OSC sequences ending with ST are completely stripped. Co-authored-by: hongymagic <302730+hongymagic@users.noreply.github.com>
\x1B]8;;http://malicious.com\x1B\\Malicious Link\x1B]8;;\x1B\\to render disguised hyperlinks or manipulate the terminal.src/ansi.tsto match both\u0007(BEL) and\u001B\\(ST).tests/ansi_security.test.tsto assert that OSC sequences ending with ST are completely stripped.PR created automatically by Jules for task 7167495553133608422 started by @hongymagic