fix(security): disable executable gray-matter frontmatter in commands

2026-03-14 10:27:24 +00:00 · 2026-03-11 22:04:38 +00:00
parent a116b95199
commit b9c902b016
3 changed files with 24 additions and 6 deletions
--- a/server/utils/commandParser.js
+++ b/server/utils/commandParser.js
@@ -1,9 +1,9 @@
-import matter from 'gray-matter';
 import { promises as fs } from 'fs';
 import path from 'path';
 import { execFile } from 'child_process';
 import { promisify } from 'util';
 import { parse as parseShellCommand } from 'shell-quote';
+import { parseFrontmatter } from './frontmatter.js';

 const execFileAsync = promisify(execFile);

@@ -32,7 +32,7 @@ const BASH_COMMAND_ALLOWLIST = [
 */
 export function parseCommand(content) {
  try {
-    const parsed = matter(content);
+    const parsed = parseFrontmatter(content);
    return {
      data: parsed.data || {},
      content: parsed.content || '',