fix(clipboard): fix Windows escaping, macOS/Linux shell injection, and Clipboard.copy typo#95
Merged
Conversation
…d Clipboard.copy typo - Fix Clipboard.copy() → Clipboard.copyText() in api/copy.js (TypeError fix) - Windows copyFileReference: replace Set-Clipboard -Path (glob vulnerable) with Windows Forms SetFileDropList via Base64-encoded PowerShell; eliminates bracket wildcard expansion and bypasses all shell quoting at the Node→PS boundary - macOS copyFileReference + revealInFinder: switch from execSync(osascript -e '...') to spawnSync(['osascript', '-e', script]); eliminates single-quote shell injection - Windows revealInFinder: already used spawnSync; no change needed - Linux revealInFinder: switch from execSync(xdg-open "...") to spawnSync(['xdg-open', dir]); eliminates $-expansion and double-quote injection - Fix clipboardy mock: add mock.default = mock so dynamic ESM imports resolve correctly - Add 23 unit tests in tests/unit/utils/clipboard.test.js covering all platforms and special-character edge cases - Add 2 tests to copy.test.js: clipboard success path and error suppression branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes all four clipboard/file-reference bugs reported in issue #86.
Closes #86
Changes Made
src/api/copy.js— FixClipboard.copy(output)→Clipboard.copyText(output)(the methodClipboard.copydid not exist; this was aTypeErrorat runtime)src/utils/clipboard.js— WindowscopyFileReference— ReplaceSet-Clipboard -Path(vulnerable to[/]glob expansion with no-LiteralPathavailable) with Windows FormsSetFileDropListvia Base64-encoded-EncodedCommand; eliminates all shell quoting at the Node→PowerShell boundary and prevents wildcard interpretation of bracketssrc/utils/clipboard.js— macOScopyFileReference+revealInFinder— Switch fromexecSync(\osascript -e '...'`)tospawnSync('osascript', ['-e', script]); eliminates single-quote shell injection for paths like/Users/it's/file.xml`src/utils/clipboard.js— macOSrevealInFinder— Fix no-op escapereplace(/"/g, '"')→ correctreplace(/\\/g, '\\\\').replace(/"/g, '\\"')for AppleScript double-quoted stringssrc/utils/clipboard.js— LinuxrevealInFinder— Switch fromexecSync(\xdg-open "${dir}"`)tospawnSync('xdg-open', [dir]); eliminates$`-expansion and double-quote injectiontests/setup-global-mocks.js— Addmock.default = mockto clipboardy mock so dynamic ESMimport('clipboardy')resolves.defaultcorrectly in teststests/unit/utils/clipboard.test.js(new) — 23 unit tests covering all three platform branches and edge cases: single quotes,[/],$,&/|, UNC paths, backslashes, fallback behaviourtests/unit/api/copy.test.js— 2 new tests:clipboard: truesuccess path (assertscopyTextis called) and error suppression (assertsclipboardErroris recorded without throwing)