Change formatting to prevent UI redressing attacks (#17611)

2026-03-20 19:11:23 -07:00 · 2026-01-27 08:56:01 -08:00
parent 6be42be575
commit 8b2b71c8ef
6 changed files with 26 additions and 24 deletions
--- a/packages/cli/src/ui/components/Help.tsx
+++ b/packages/cli/src/ui/components/Help.tsx
@@ -9,7 +9,7 @@ import { Box, Text } from 'ink';
 import { theme } from '../semantic-colors.js';
 import { type SlashCommand, CommandKind } from '../commands/types.js';
 import { KEYBOARD_SHORTCUTS_URL } from '../constants.js';
-import { sanitizeForListDisplay } from '../utils/textUtils.js';
+import { sanitizeForDisplay } from '../utils/textUtils.js';

 interface Help {
  commands: readonly SlashCommand[];
@@ -79,7 +79,7 @@ export const Help: React.FC<Help> = ({ commands }) => (
              <Text color={theme.text.secondary}> [MCP]</Text>
            )}
            {command.description &&
-              ' - ' + sanitizeForListDisplay(command.description, 100)}
+              ' - ' + sanitizeForDisplay(command.description, 100)}
          </Text>
          {command.subCommands &&
            command.subCommands
@@ -91,7 +91,7 @@ export const Help: React.FC<Help> = ({ commands }) => (
                    {subCommand.name}
                  </Text>
                  {subCommand.description &&
-                    ' - ' + sanitizeForListDisplay(subCommand.description, 100)}
+                    ' - ' + sanitizeForDisplay(subCommand.description, 100)}
                </Text>
              ))}
        </Box>
--- a/packages/cli/src/ui/components/SuggestionsDisplay.tsx
+++ b/packages/cli/src/ui/components/SuggestionsDisplay.tsx
@@ -9,7 +9,7 @@ import { theme } from '../semantic-colors.js';
 import { ExpandableText, MAX_WIDTH } from './shared/ExpandableText.js';
 import { CommandKind } from '../commands/types.js';
 import { Colors } from '../colors.js';
-import { sanitizeForListDisplay } from '../utils/textUtils.js';
+import { sanitizeForDisplay } from '../utils/textUtils.js';

 export interface Suggestion {
  label: string;
@@ -117,7 +117,7 @@ export function SuggestionsDisplay({
            {suggestion.description && (
              <Box flexGrow={1} paddingLeft={3}>
                <Text color={textColor} wrap="truncate">
-                  {sanitizeForListDisplay(suggestion.description, 100)}
+                  {sanitizeForDisplay(suggestion.description, 100)}
                </Text>
              </Box>
            )}
--- a/packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx
+++ b/packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx
@@ -21,6 +21,7 @@ import type { RadioSelectItem } from '../shared/RadioButtonSelect.js';
 import { useToolActions } from '../../contexts/ToolActionsContext.js';
 import { RadioButtonSelect } from '../shared/RadioButtonSelect.js';
 import { MaxSizedBox, MINIMUM_MAX_HEIGHT } from '../shared/MaxSizedBox.js';
+import { sanitizeForDisplay } from '../../utils/textUtils.js';
 import { useKeypress } from '../../hooks/useKeypress.js';
 import { theme } from '../../semantic-colors.js';
 import { useSettings } from '../../contexts/SettingsContext.js';
@@ -257,7 +258,7 @@ export const ToolConfirmationMessage: React.FC<
      if (executionProps.commands && executionProps.commands.length > 1) {
        question = `Allow execution of ${executionProps.commands.length} commands?`;
      } else {
-        question = `Allow execution of: '${executionProps.rootCommand}'?`;
+        question = `Allow execution of: '${sanitizeForDisplay(executionProps.rootCommand)}'?`;
      }
    } else if (confirmationDetails.type === 'info') {
      question = `Do you want to proceed?`;
@@ -346,7 +347,7 @@ export const ToolConfirmationMessage: React.FC<
            <Box flexDirection="column">
              {commandsToDisplay.map((cmd, idx) => (
                <Text key={idx} color={theme.text.link}>
-                  {cmd}
+                  {sanitizeForDisplay(cmd)}
                </Text>
              ))}
            </Box>