Skip to content

Harden terminal-escape rendering across all MdsError variants (CWE-150) #176

Description

@dean0x

Location: crates/mds-cli/src/lint.rs:246 (and repo-wide)

Human-rendered diagnostics attach RAW source to miette with_source_code, so a hostile .mds line with ANSI/C0/C1 escapes can inject terminal control sequences.

Deferred From: PR #171 (Closes #61) — mds lint release gate
Review: .devflow/docs/reviews/feat-mds-lint-61/2026-07-11_1046/resolution-summary.md

Reason for Deferral:
PRE-EXISTING repo-wide class — every MdsError in check/build/compile does this; lint inherits the pattern. Fix is non-trivial (escaping desyncs span offsets). Cross-cutting hardening across the shared render boundary best done as dedicated security PR.

Acceptance Criteria:

  • Audit all MdsError render sites (check/, build/, compile, lint)
  • Escape terminal control characters in source snippets
  • Preserve span accuracy (no offset desync)
  • Add test vectors for ANSI/C0/C1 injection attempts

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions