zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-04-03 07:33:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: path traversal in install.sh, error logging in hooks

Browse Source 
- Validate language names in install.sh to prevent path traversal via
  malicious args like ../../etc (only allow [a-zA-Z0-9_-])
- Replace silent catch in check-console-log.js with stderr logging so
  hook failures are visible to the user for debugging
- Escape backticks in session-end.js user messages to prevent markdown
  structure corruption in session files
This commit is contained in:
Affaan Mustafa
2026-02-12 14:14:21 -08:00
parent f3a4b33d41
commit 6e5b45ed28
3 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scripts/hooks/session-end.js
View File

@@ -157,10 +157,10 @@ ${summarySection}
function buildSummarySection(summary) {
let section = '## Session Summary\n\n';
// Tasks (from user messages)
// Tasks (from user messages — escape backticks to prevent markdown breaks)
section += '### Tasks\n';
for (const msg of summary.userMessages) {
section += `- ${msg}\n`;
section += `- ${msg.replace(/`/g, '\\`')}\n`;
}
section += '\n';