zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-03-30 13:43:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: sanitize getExecCommand args, escape regex in getCommandPattern, clean up readStdinJson timeout, add 10 tests

Browse Source 
Validate args parameter in getExecCommand() against SAFE_ARGS_REGEX to
prevent command injection when returned string is passed to a shell.
Escape regex metacharacters in getCommandPattern() generic action branch
to prevent malformed patterns and unintended matching. Clean up stdin
listeners in readStdinJson() timeout path to prevent process hanging.
This commit is contained in:
Affaan Mustafa
2026-02-13 02:27:04 -08:00
parent d9331cb17f
commit a62a3a2416
3 changed files with 80 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/lib/utils.js
View File

@@ -215,6 +215,11 @@ async function readStdinJson(options = {}) {
const timer = setTimeout(() => {
if (!settled) {
settled = true;
// Clean up stdin listeners so the event loop can exit
process.stdin.removeAllListeners('data');
process.stdin.removeAllListeners('end');
process.stdin.removeAllListeners('error');
if (process.stdin.unref) process.stdin.unref();
// Resolve with whatever we have so far rather than hanging
try {
resolve(data.trim() ? JSON.parse(data) : {});