Skip to content

Harden command construction (defense-in-depth)#4

Merged
suarezesteban merged 1 commit into
mainfrom
claude/practical-thompson-yy9nm1
Jun 9, 2026
Merged

Harden command construction (defense-in-depth)#4
suarezesteban merged 1 commit into
mainfrom
claude/practical-thompson-yy9nm1

Conversation

@suarezesteban

@suarezesteban suarezesteban commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Three low-risk hardening fixes from a security review of the CLI. None is exploitable today — each removes a latent footgun should an input source ever change.

  • ui.tsopenUrl goes through a shell on Windows (start is a cmd builtin). It now validates the URL first via a new exported isOpenableUrl predicate: https-only, *.vercel.run origin, strict shell-safe character set. Unit-tested, including lookalike hosts (evil-vercel.run) and shell metacharacters.
  • ready.ts — the waitForPort probe now passes port/iterations as bash positional args ($1/$2) instead of string interpolation, matching the positional-arg pattern used elsewhere (e.g. remoteTextEquals).
  • sync.ts — the remote rm -f in removeFiles now includes -- so no target can ever be parsed as an option.

Note: this PR was merged while the branch's remaining work was still in flight; the rest of the review (calm error paths, low-friction env injection, dev-script port detection) landed separately in #5.

pnpm lint, pnpm typecheck, pnpm test (147/149; 2 pre-existing environment-only failures as root) and pnpm build pass.

https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh

@claude
Harden command construction (defense-in-depth)
44be4ab 
Three low-risk hardening fixes from a security review. None is exploitable
today; each removes a latent footgun should an input source change.

- ui.ts: validate the URL before openUrl hands it to a shell on Windows
  (`start` is a cmd builtin). Restrict to an https `*.vercel.run` origin with
  a shell-safe character set via a new exported `isOpenableUrl` predicate.
- ready.ts: pass the loop count and port to the waitForPort probe as bash
  positional args ($1/$2) instead of string-interpolating them, matching the
  positional-arg pattern used elsewhere.
- sync.ts: add `--` to the remote `rm -f` so no target can be read as an
  option (targets are always absolute, so this is belt-and-suspenders).

Adds unit tests for isOpenableUrl and updates the removeFiles assertion.

https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
@vercel

vercel Bot commented Jun 9, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
upcli Ready Ready Preview, Comment Jun 9, 2026 6:37pm
upcli-downloads Ready Ready Preview, Comment Jun 9, 2026 6:37pm

@suarezesteban suarezesteban merged commit 5c29fcf into main Jun 9, 2026
9 checks passed
@suarezesteban suarezesteban changed the title Harden command construction (defense-in-depth) Harden command construction and calm remaining raw-error paths Jun 10, 2026
@suarezesteban suarezesteban changed the title Harden command construction and calm remaining raw-error paths Security hardening + "just works" UX fixes from review and beta feedback Jun 10, 2026
suarezesteban pushed a commit that referenced this pull request Jun 10, 2026
@claude
Merge origin/main (squash of #4) into the working branch
fdc1421
@suarezesteban suarezesteban mentioned this pull request Jun 10, 2026
Merged
@suarezesteban suarezesteban changed the title Security hardening + "just works" UX fixes from review and beta feedback Harden command construction (defense-in-depth) Jun 10, 2026
suarezesteban pushed a commit that referenced this pull request Jun 10, 2026
@claude
Cut v0.1.0-beta.4
1aeebfe 
Ships the changes from #4 and #5: hardened command construction, calmer
auth/stop/timeout error paths, low-friction env-file injection, and
honoring an explicit port in the project's dev script.

- Add the v0.1.0-beta.4 release artifacts (sha256-checksummed bundle).
- Point install.sh's default version at v0.1.0-beta.4.
- Print the next step after a successful install when no PATH change is
  needed, so the happy path ends with what to run instead of silence.

https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
@suarezesteban suarezesteban mentioned this pull request Jun 10, 2026
Merged
suarezesteban added a commit that referenced this pull request Jun 10, 2026
@suarezesteban
Cut v0.1.0-beta.4 (#6)
715dc59 
Ships #4 and #5: hardened command construction, calmer auth/stop/timeout
error paths, low-friction env-file injection, and honoring an explicit
port in the project's dev script.

- Add the v0.1.0-beta.4 release artifacts (sha256-checksummed bundle).
- Point install.sh's default version at v0.1.0-beta.4.
- Print the next step after a successful install when no PATH change is
  needed.

https://claude.ai/code/session_01GVqD2pepFwpZG7dNp9T9jh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@suarezesteban @claude