Sanitize control characters in contract spec display output.

[fnando]

What

Contract spec fields (function names, docstrings, UDT names, metadata key/val) are now stripped of ASCII control characters before being written to the terminal or registered as clap help text. This prevents a malicious contract from embedding ANSI escape sequences that could overwrite terminal output with forged content.

Affected paths:

• stellar contract invoke --help (clap subcommand names and help text)
• stellar contract info (Spec Display impl and text output)
• stellar contract inspect (deprecated)

Tests added using a fixture wasm that embeds ANSI escape sequences in function names and docstrings.

Why

• https://hackerone.com/reports/3589004

Known limitations

N/A

[Copilot]

Pull request overview

Hardens Stellar CLI contract-spec rendering by stripping control characters from spec-derived strings at display/help-text boundaries to prevent terminal escape-sequence injection via malicious contracts.

Changes:

• Re-exported and applied a shared sanitize helper to strip control characters from spec names/docs before printing or registering with clap help.
• Added a sanitized-name fallback lookup in get_function_spec to keep functions with control characters addressable via their sanitized clap subcommand.
• Added regression tests + a wasm fixture containing ANSI escape sequences to validate help/spec output is free of unexpected control characters.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cmd/soroban-cli/src/commands/contract/arg_parsing.rs	Sanitizes function names/docs used in clap command/help generation; adds lookup fallback and a help-rendering regression test.
cmd/crates/soroban-spec-tools/src/contract.rs	Sanitizes spec display output (meta entries, function names/docs, UDT names/docs) and defines the shared sanitize helper.
cmd/crates/soroban-spec-tools/src/lib.rs	Re-exports contract::sanitize for use by CLI code.
cmd/crates/soroban-spec-tools/tests/contract_sanitize.rs	Adds a test ensuring Spec display output contains no unexpected control characters.
cmd/crates/soroban-spec-tools/tests/fixtures/control_characters.wasm	Adds a malicious fixture embedding ANSI escape sequences in spec fields for regression coverage.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

cmd/soroban-cli/src/commands/contract/arg_parsing.rs:358

• sanitize() preserves \n, so leaking sanitize(name) into clap’s command name can produce subcommand names containing newlines (untypable from a shell) and can still inject extra lines into help output. It can also produce an empty string if the name is entirely control characters, and it doesn’t guard against multiple distinct function names collapsing to the same sanitized clap name. Consider using a stricter “identifier sanitizer” for clap names (e.g., reject/strip all whitespace/control incl. newlines, enforce non-empty) and detect collisions early with a clear error.

    let name: &'static str = Box::leak(sanitize(name).into_boxed_str());
    let mut cmd = clap::Command::new(name)
        .no_binary_name(true)
        .term_width(300)
        .max_term_width(300);

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.