Fix terminal escape sequence injection in rendered API text#1
Open
MoizIbnYousaf wants to merge 1 commit intobddicken:mainfrom
Open
Fix terminal escape sequence injection in rendered API text#1MoizIbnYousaf wants to merge 1 commit intobddicken:mainfrom
MoizIbnYousaf wants to merge 1 commit intobddicken:mainfrom
Conversation
Untrusted text from the X API (tweet bodies, author names, user bios, error messages) was passed directly to OpenTUI Text() components. A crafted post containing terminal escape sequences could hijack the clipboard (OSC 52), clear the screen (CSI 2J), or spoof the terminal title. Add sanitizeText() that strips 7-bit ESC sequences, 8-bit C1 control codes, and remaining control characters before rendering. Also add an image URL allowlist so Jimp only fetches from known X CDN hosts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Tweet text, author names, user bios, and API error messages are passed directly to OpenTUI
Text()without sanitization. Since OpenTUI does not strip escape sequences internally, a crafted post containing terminal escape sequences reaches the terminal emulator and gets interpreted as commands.Concrete attack vectors:
\x1b]52;c;BASE64\x07) silently overwrites the user's clipboard\x1b[2J) clears the terminal screen\x1b]0;FAKE\x07) changes the terminal title (phishing)\x9b) bypasses 7-bit-only filtersAny X user can trigger this by posting a tweet with embedded escape bytes.
Fix
sanitizeText()insrc/sanitize.tsthat strips 7-bit ESC sequences, 8-bit C1 control codes (0x80-0x9F), and remaining control characters while preserving tabs and newlinespost-card.ts(tweet text, author name, username),user-info.ts(name, username, bio),header-bar.ts(view title), andstatus-bar.ts(error messages)post-image-preview.tssoJimp.read()only fetches from known X CDN hosts (pbs.twimg.com,abs.twimg.com,video.twimg.com,ton.twimg.com), preventing SSRF via manipulated API responsesWhat it does not change