Skip to content

fix: sanitize dynamic completion values#21

Closed
Finesssee wants to merge 1 commit into
masterfrom
codex/propose-fix-for-command-injection-vulnerability
Closed

fix: sanitize dynamic completion values#21
Finesssee wants to merge 1 commit into
masterfrom
codex/propose-fix-for-command-injection-vulnerability

Conversation

@Finesssee

@Finesssee Finesssee commented Apr 3, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Dynamic completion output previously emitted untrusted API/cache names verbatim, which could include shell metacharacters and enable command-injection when used by shell completion (e.g., compgen/substitution).

Description

  • Add a new sanitize_completion_value function that trims control whitespace and allowlists safe characters for insertion into shell completions.
  • Use sanitize_completion_value for the completion "value" field emitted for teams, projects, issues, statuses, users, and labels, while keeping description sanitization intact.
  • Add two unit tests validating that shell metacharacters are stripped and common identifier formats (e.g., LIN-123, emails, slashes) are preserved.

Testing

  • Ran cargo test test_sanitize_completion_value -- --nocapture and the new tests passed.
  • Ran cargo fmt to format changes successfully.

Codex Task

@Finesssee

Finesssee commented Apr 4, 2026

Copy link
Copy Markdown
Owner Author

This change is already on master as c91cbd5 () and shipped in v0.3.19, so I’m closing this PR as already landed.

@Finesssee

Finesssee commented Apr 4, 2026

Copy link
Copy Markdown
Owner Author

Closing because this exact change is already on master in c91cbd5 and released in v0.3.19.

@Finesssee Finesssee closed this Apr 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Finesssee