open-code-review/cmd/opencodereview/output_test.go
kite a37bee50fb fix: sanitize terminal control characters in text output to prevent escape-sequence injection (#143)
Strip C0/C1 control characters and DEL from model/diff-derived strings
before printing to the terminal, preventing OSC 52 clipboard hijack,
screen erasure spoofing, and other ANSI injection attacks (CWE-150).
JSON output is unaffected as encoding/json already escapes control chars.
2026-06-16 14:48:56 +08:00

35 lines
1.2 KiB
Go
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package main
import "testing"
func TestSanitizeTerminal(t *testing.T) {
tests := []struct {
name string
in string
want string
}{
{"plain text unchanged", "hello world", "hello world"},
{"preserves tab", "col1\tcol2", "col1\tcol2"},
{"preserves newline", "line1\nline2", "line1\nline2"},
{"strips ESC", "before\x1b[2Jafter", "before[2Jafter"},
{"strips OSC 52", "\x1b]52;c;dGVzdA==\x07", "]52;c;dGVzdA=="},
{"strips BEL alone", "beep\x07done", "beepdone"},
{"strips null byte", "a\x00b", "ab"},
{"strips DEL", "a\x7fb", "ab"},
{"strips carriage return", "fake\rreal", "fakereal"},
{"empty string", "", ""},
{"only control chars", "\x1b\x07\x00\x7f", ""},
{"unicode preserved", "代码审查 レビュー 🔍", "代码审查 レビュー 🔍"},
{"mixed safe and unsafe", "path\x1b[0m/file.go", "path[0m/file.go"},
{"strips C1 CSI (U+009B)", "before›after", "beforeafter"},
{"strips C1 OSC (U+009D)", "beforeafter", "beforeafter"},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := sanitizeTerminal(tt.in)
if got != tt.want {
t.Errorf("sanitizeTerminal(%q) = %q, want %q", tt.in, got, tt.want)
}
})
}
}