fix: sanitize picker labels/hints to prevent terminal escape injection#208
fix: sanitize picker labels/hints to prevent terminal escape injection#208bukinoshita wants to merge 1 commit into
Conversation
|
@cubic-dev-ai can you review? |
@bukinoshita I have started the AI code review. It will take a few minutes to complete. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
|
@cursor fix conflicts |
|
The PR description was edited by cubic (the automated review tool) and the title is the same. I'll preserve those edits and not update the PR body/title since they're accurate. The conflicts are now resolved and the branch is pushed. Resolved the merge conflicts by rebasing onto the latest   |
Strip VT/ANSI/OSC control sequences and C0/C1 control characters from picker option labels and hints in pickId() before passing them to @clack/prompts. This prevents crafted resource names (e.g. email subjects, template names, webhook endpoints) from injecting terminal escape sequences that could manipulate an operator's terminal. The fix is centralized in pickId() via a new sanitizeTerminalText utility, protecting all current and future PickerConfig callers. Co-authored-by: Bu Kinoshita <bukinoshita@users.noreply.github.com>
cursor
Bot
force-pushed
the
fix/sanitize-picker-terminal-escapes-eb4d
branch
from
0edc46a to
83b0a47
Compare
2 participants
Summary by cubic
Sanitize picker option labels and hints to strip terminal escape sequences and control characters, preventing terminal escape injection in interactive CLI prompts. Centralized in
pickId()to protect allPickerConfigflows; addresses BU-616.sanitizeTerminalTextutility usingnode:util’sstripVTControlCharactersand C0/C1 removal.label/hintinpickId()before passing to@clack/prompts.Written for commit 9d8c423. Summary will update on new commits.