Skip to content

feat: add 'Copy Scaffolding' dropdown with shell command generator#53

Merged
drehelis merged 1 commit intomainfrom
copy_scaffolding
Mar 30, 2026
Merged

feat: add 'Copy Scaffolding' dropdown with shell command generator#53
drehelis merged 1 commit intomainfrom
copy_scaffolding

Conversation

@drehelis
Copy link
Copy Markdown
Owner

No description provided.

Copilot AI review requested due to automatic review settings March 30, 2026 12:21
@drehelis drehelis enabled auto-merge (squash) March 30, 2026 12:21
@drehelis drehelis merged commit eb6adb1 into main Mar 30, 2026
6 checks passed
@drehelis drehelis deleted the copy_scaffolding branch March 30, 2026 12:22
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new “Copy Scaffolding” option to generate and copy a shell command that recreates the current .devcontainer file set, integrating it into the editor actions, tabs UI, and command palette.

Changes:

  • Added a new copyOneLiner() action + oneLinerStatus state to useEditorActions.
  • Replaced the single “Copy” button with a “Copy Options” dropdown in EditorTabs (Copy active file vs. Copy scaffolding).
  • Wired the new action/status through App.vue, including a new command palette action.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/composables/useEditorActions.ts Implements the shell command generator and exposes new status/action.
src/components/layout/EditorTabs.vue Adds the Copy dropdown UI and new one-liner emit path.
src/App.vue Passes new props/handlers and registers a command palette action for it.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/components/layout/EditorTabs.vue
Comment thread src/App.vue
Comment on lines +31 to +40
const files = allFiles.value;
const fileNames = Object.keys(files);

let command = "mkdir -pv .devcontainer";

const fileCommands = fileNames.map((name) => {
const content = files[name].content;
// Use a quoted heredoc (<< 'EOF') to prevent shell expansion
return `cat << 'EOF' > .devcontainer/${name}\n${content}\nEOF`;
});
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The generated shell command is unsafe with untrusted presetFiles names/content coming from share URLs. File names are interpolated into the redirection path unquoted (> .devcontainer/${name}), which enables command injection if name contains shell metacharacters/newlines; and using a fixed heredoc delimiter (EOF) can be prematurely terminated if file content contains a line equal to EOF, causing subsequent lines to be executed as shell commands. Mitigation: strictly validate/normalize allowed file names (e.g., reject path separators/whitespace/control chars), quote the output path, and use a per-file delimiter guaranteed not to appear in the content (or switch to a base64/printf-based approach that avoids heredocs entirely). Also consider creating parent directories for any nested paths if they are allowed.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants