Describe the bug
Editor execution uses EDITOR env var without sanitization. Shell metacharacters in EDITOR could enable command injection.
To reproduce
- Set EDITOR="vi; malicious_command"
- Run matcha config command
- Shell injection possible
Expected behavior
Validate EDITOR path, use exec.Command with proper argument separation
Matcha version
master
OS
Unix-like
Additional context
File: cli/config.go
Security: command injection risk
Describe the bug
Editor execution uses EDITOR env var without sanitization. Shell metacharacters in EDITOR could enable command injection.
To reproduce
Expected behavior
Validate EDITOR path, use exec.Command with proper argument separation
Matcha version
master
OS
Unix-like
Additional context
File: cli/config.go
Security: command injection risk