fix: path traversal in install.sh, error logging in hooks

- Validate language names in install.sh to prevent path traversal via malicious args like ../../etc (only allow [a-zA-Z0-9_-]) - Replace silent catch in check-console-log.js with stderr logging so hook failures are visible to the user for debugging - Escape backticks in session-end.js user messages to prevent markdown structure corruption in session files
2026-04-08 10:23:30 +08:00 · 2026-02-12 14:14:21 -08:00
parent f3a4b33d41
commit 6e5b45ed28
3 changed files with 14 additions and 4 deletions
--- a/install.sh
+++ b/install.sh
@@ -69,6 +69,11 @@ if [[ "$TARGET" == "claude" ]]; then

    # Install each requested language
    for lang in "$@"; do
+        # Validate language name to prevent path traversal
+        if [[ ! "$lang" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+            echo "Error: invalid language name '$lang'. Only alphanumeric, dash, and underscore allowed." >&2
+            continue
+        fi
        lang_dir="$RULES_DIR/$lang"
        if [[ ! -d "$lang_dir" ]]; then
            echo "Warning: rules/$lang/ does not exist, skipping." >&2
@@ -101,6 +106,11 @@ if [[ "$TARGET" == "cursor" ]]; then

    # Install language-specific rules
    for lang in "$@"; do
+        # Validate language name to prevent path traversal
+        if [[ ! "$lang" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+            echo "Error: invalid language name '$lang'. Only alphanumeric, dash, and underscore allowed." >&2
+            continue
+        fi
        if [[ -d "$CURSOR_SRC/rules" ]]; then
            found=false
            for f in "$CURSOR_SRC/rules"/${lang}-*.md; do