From 9aa41bfa671daf7831ce6209bfe93eec53dc3b89 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Mon, 23 Feb 2026 05:35:24 -0800
Subject: [PATCH] fix: reject non-ASCII filenames in install.sh download
 validation (#1802)

Fixes #1800 - explicit ASCII check blocks Unicode lookalike bypass

Agent: ux-engineer

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 cli/install.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cli/install.sh b/cli/install.sh
index 7a6e9982..3617c67d 100755
--- a/cli/install.sh
+++ b/cli/install.sh
@@ -205,6 +205,14 @@ clone_cli() {
     curl -fsSL "${SPAWN_RAW_BASE}/cli/bun.lock"       -o "${dest}/cli/bun.lock"
     curl -fsSL "${SPAWN_RAW_BASE}/cli/tsconfig.json"  -o "${dest}/cli/tsconfig.json"
     for f in $files; do
+        # SECURITY: Reject non-ASCII characters (Unicode lookalikes/homoglyphs)
+        if [[ "$f" =~ [^[:ascii:]] ]]; then
+            log_error "Security: Non-ASCII characters in filename: $f"
+            log_error "Only ASCII filenames are allowed."
+            log_error "Installation aborted for safety."
+            exit 1
+        fi
+
         # SECURITY: Strict allowlist — only alphanumeric, underscore, hyphen, .ts extension
         if [[ ! "$f" =~ ^[a-zA-Z0-9_-]+\.ts$ ]]; then
             log_error "Security: Invalid filename from API: $f"