d8dfun/claudecodeui
1
0
Fork 0
mirror of https://github.com/siteboon/claudecodeui.git synced 2026-03-14 02:17:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): disable executable gray-matter frontmatter in commands

Browse Source
This commit is contained in:
simosmik
2026-03-11 22:04:38 +00:00
parent a116b95199
commit b9c902b016
3 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/utils/commandParser.js
View File

@@ -1,9 +1,9 @@
import matter from 'gray-matter';
import { promises as fs } from 'fs';
import path from 'path';
import { execFile } from 'child_process';
import { promisify } from 'util';
import { parse as parseShellCommand } from 'shell-quote';
import { parseFrontmatter } from './frontmatter.js';
const execFileAsync = promisify(execFile);
@@ -32,7 +32,7 @@ const BASH_COMMAND_ALLOWLIST = [
*/
export function parseCommand(content) {
try {
const parsed = matter(content);
const parsed = parseFrontmatter(content);
return {
data: parsed.data || {},
content: parsed.content || '',

18
server/utils/frontmatter.js Normal file
View File

@@ -0,0 +1,18 @@
import matter from 'gray-matter';
const disabledFrontmatterEngine = () => ({});
const frontmatterOptions = {
language: 'yaml',
// Disable JS/JSON frontmatter parsing to avoid executable project content.
// Mirrors Gatsby's mitigation for gray-matter.
engines: {
js: disabledFrontmatterEngine,
javascript: disabledFrontmatterEngine,
json: disabledFrontmatterEngine
}
};
export function parseFrontmatter(content) {
return matter(content, frontmatterOptions);
}