Andras Bacsai 53cd2a6e86 refactor: harden and deduplicate validateShellSafePath ...

Changes:
- Added tab character ("\t") to dangerous characters list as token separator
- Removed redundant regex-based preg_match block (lines 147-152)
- Characters $(, ${, and backticks were already covered in $dangerousChars array
- Simplified function to rely solely on $dangerousChars loop

Security improvement:
- Tab characters can act as token separators in shell contexts
- Now explicitly blocked with descriptive error message

Tests:
- Added test for tab character blocking
- All 78 security tests pass (213 assertions)
- No regression in existing functionality

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-16 09:51:37 +02:00

132 KiB

Raw Blame History

View Raw