Skip to content

fix: sanitize untrusted email fields in remaining interactive receiving commands#216

Draft
bukinoshita wants to merge 1 commit into
mainfrom
fix/sanitize-terminal-escape-sequences-38d8
Draft

fix: sanitize untrusted email fields in remaining interactive receiving commands#216
bukinoshita wants to merge 1 commit into
mainfrom
fix/sanitize-terminal-escape-sequences-38d8

Conversation

@bukinoshita
Copy link
Copy Markdown
Member

@bukinoshita bukinoshita commented Apr 9, 2026
edited
Loading

Summary by cubic

Sanitizes untrusted inbound email fields in interactive CLI output to strip ANSI/control escape sequences and prevent terminal spoofing or abuse. Addresses Linear BU-656; JSON output is unchanged.

  • Bug Fixes
    • Added src/lib/sanitize-for-terminal.ts to remove C0 (except tab/newline), DEL, C1, ESC, and CSI bytes.
    • Applied sanitization in emails/receiving interactive paths: get, listen, table rendering, and attachment.
    • Added tests covering ANSI/CSI/OSC sequences, control ranges, and unicode/tab/newline handling.

Written for commit fb787eb. Summary will update on new commits.

@cursor cursor Bot changed the title Strip ANSI/control escape sequences from inbound email fields in interactive output fix: strip ANSI/control escape sequences from inbound email fields in interactive output Apr 9, 2026
@bukinoshita
Copy link
Copy Markdown
Member Author

bukinoshita commented Apr 13, 2026

@cursor fix the conflicts

@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 13, 2026
edited
Loading

Conflicts resolved. Here's what I did:

  • Rebased onto main which had already introduced safeTerminalText in src/lib/safe-terminal-text.ts and applied it in listen.ts. This made my separate sanitize-for-terminal.ts utility redundant, so I dropped it entirely.
  • Applied safeTerminalText to the three remaining unsanitized files: get.ts (from, to, subject, text body), attachment.ts (filename), and utils.ts (from, to, subject in table rows).
  • All 788 tests pass and lint is clean. The PR has been force-pushed with the clean commit.
Open in Web Open in Cursor 

@cursoragent @bukinoshita
fix: sanitize untrusted email fields in remaining interactive receivi…
bfd655e 
…ng commands

Apply safeTerminalText (already on main) to the interactive output paths
that were still printing raw untrusted fields:

- get.ts: sanitize from, to, subject, and text body snippet
- attachment.ts: sanitize filename
- utils.ts: sanitize from, to, subject in table rows

listen.ts was already sanitized on main. JSON output is unaffected.

Resolves: BU-656

Co-authored-by: Bu Kinoshita <bukinoshita@users.noreply.github.com>
@cursor cursor Bot force-pushed the fix/sanitize-terminal-escape-sequences-38d8 branch from fb787eb to bfd655e Compare April 13, 2026 21:56
@cursor cursor Bot changed the title fix: strip ANSI/control escape sequences from inbound email fields in interactive output fix: sanitize untrusted email fields in remaining interactive receiving commands Apr 13, 2026
@bukinoshita
Copy link
Copy Markdown
Member Author

bukinoshita commented Apr 13, 2026

@cubic-dev-ai can you review?

@cubic-dev-ai
Copy link
Copy Markdown
Contributor

cubic-dev-ai Bot commented Apr 13, 2026

@cubic-dev-ai can you review?

@bukinoshita I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bukinoshita @cursoragent