Skip to content

fix: sanitize process detail strings before tui rendering#3

Merged
rekurt merged 1 commit into
masterfrom
feat/propose-fix-for-terminal-escape-injection
Apr 6, 2026
Merged

fix: sanitize process detail strings before tui rendering#3
rekurt merged 1 commit into
masterfrom
feat/propose-fix-for-terminal-escape-injection

Conversation

@rekurt

@rekurt rekurt commented Apr 6, 2026

Copy link
Copy Markdown
Owner

Motivation

  • The Process Detail view rendered untrusted environment variables and open file paths directly into the terminal UI, allowing attacker-controlled control/escape characters to produce terminal escape injection when viewed.
  • The change aims to neutralize control characters while preserving the original display/truncation behavior so UI semantics remain unchanged.

Description

  • Add sanitize_for_terminal(&str) -> String in crates/prt-core/src/core/process_detail.rs that replaces ASCII control characters (including ESC) with ? while keeping printable characters and preserving \n/\t.
  • Use the sanitizer in crates/prt/src/ui.rs to sanitize open file path strings and environment variable keys/values immediately before constructing Line entries for the Process Detail fullscreen view.
  • Preserve existing truncation logic and layout, only replacing control characters to prevent terminal escape/control-sequence injection.
  • Add focused unit tests for the sanitizer in prt-core to validate control characters are neutralized and printable text is preserved.

Testing

  • Ran cargo fmt --all successfully.
  • Ran cargo test -p prt-core process_detail and all tests passed (13 tests; 0 failed).
  • Ran cargo test -p prt --no-run to build the prt test profile successfully (compilation succeeded).

Codex Task

@rekurt rekurt merged commit 5012825 into master Apr 6, 2026
3 checks passed
@rekurt rekurt deleted the feat/propose-fix-for-terminal-escape-injection branch April 6, 2026 09:44
rekurt pushed a commit that referenced this pull request Jun 12, 2026
…t, model health

Auto-reconnect (#1,#2,#3,#8):
- Backoff now actually grows for unreachable hosts. The reset was tied to
  a 'successful' 150ms spawn, which an unreachable host passes (it blocks
  on TCP timeout), so the delay never increased. Growth now happens on
  every attempt and is reset only after a tunnel stays Alive for
  STABLE_THRESHOLD (30s), via refresh_health.
- reconnect uses a new non-blocking restart_async() (no 150ms sleep in the
  render thread); failures are caught on the next tick. Manual restart()
  stays blocking for immediate feedback.
- After MAX_RETRIES attempts without recovery a tunnel is marked permanently
  failed (auto_reconnect=false); drop_failed() now prunes only those, so
  'save' no longer discards a tunnel that's mid-reconnect. auto_reconnect
  is now a meaningful flag.

Listener health in the model (#4,#5):
- New TunnelStatus::Unhealthy (process alive, local port not listening).
  Decision extracted to a pure, unit-tested decide_status(); a HEALTH_GRACE
  window and a scan_usable flag suppress false 'no listener' right after
  start and while auto-refresh is paused. cleanup() now takes the listening
  port set; the view no longer reaches into the scan.

Cleanups:
- command_string() shell-quotes args via shlex (#6).
- uptime column reuses prt-core format_duration (#7).
- private from_parts() constructor removes spawn duplication (#9).
- cross-reference comments between PROXY_PORTS and known_ports (#10).

New unit tests: decide_status, next_backoff, command_string quoting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant