Skip to content

fix: sanitize escape sequence injection#1976

Open
curious-rabbit wants to merge 3 commits intosharkdp:masterfrom
curious-rabbit:master
Open

fix: sanitize escape sequence injection#1976
curious-rabbit wants to merge 3 commits intosharkdp:masterfrom
curious-rabbit:master

Conversation

@curious-rabbit
Copy link
Copy Markdown

@curious-rabbit curious-rabbit commented Apr 18, 2026
edited
Loading

  • Filenames can contain terminal escape codes (like ESC). fd prints them raw to your terminal, so a file named innocent\x1b]52;c;...\x1b\.txt silently rewrites your clipboard. Fix: strip control bytes before writing to a TTY.

  • fd -x rm {/} in a dir with a file named -rf runs rm -rf. Fix: prepend ./ when a path placeholder produces a leading dash.

  • fd -x '{}' lets you use {} as the command to run, not just an argument to one. It's inconsistent with fd -X which rejects this. The patch rejects placeholder in args[0] for both modes.

Also added tests to ensure changes don't break this in the future

tmccombs
tmccombs requested changes Apr 20, 2026
View reviewed changes
Comment thread src/fmt/mod.rs Outdated
Comment thread src/main.rs Outdated
Comment thread src/sanitize.rs Outdated
Comment thread src/fmt/mod.rs Outdated
Comment thread src/fmt/mod.rs Outdated
@curious-rabbit curious-rabbit requested a review from tmccombs April 20, 2026 12:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmccombs tmccombs Awaiting requested review from tmccombs

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@curious-rabbit @tmccombs