d8dfun/claudecodeui
1
0
Fork 0
mirror of https://github.com/siteboon/claudecodeui.git synced 2026-01-24 10:27:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Prevent CLI option injection in --print argument

Browse Source 
Fix: Prevent CLI option injection in --print argument
This commit is contained in:
viper151
2025-09-23 11:31:51 +02:00
committed by GitHub
parent 66fad9a6a2 ce9ab0cd16
commit 3c9a4cab82
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
server/claude-cli.js
View File

@@ -25,15 +25,6 @@ async function spawnClaude(command, options = {}, ws) {
// Build Claude CLI command - start with print/resume flags first
const args = [];
// Add print flag with command if we have a command
if (command && command.trim()) {
// Separate arguments for better cross-platform compatibility
// This prevents issues with spaces and quotes on Windows
args.push('--print');
args.push(command);
}
// Use cwd (actual project directory) instead of projectPath (Claude's metadata directory)
const workingDir = cwd || process.cwd();
@@ -225,6 +216,17 @@ async function spawnClaude(command, options = {}, ws) {
console.log('📝 Skip permissions disabled due to plan mode');
}
}
// Add print flag with command if we have a command
if (command && command.trim()) {
// Separate arguments for better cross-platform compatibility
// This prevents issues with spaces and quotes on Windows
args.push('--print');
// Use `--` so user input is always treated as text, not options
args.push('--');
args.push(command);
}
console.log('Spawning Claude CLI:', 'claude', args.map(arg => {
const cleanArg = arg.replace(/\n/g, '\\n').replace(/\r/g, '\\r');