From c4f8f103fab030bf3f0c2b54b453a753868b828a Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 19 Jun 2026 04:17:39 +0000 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM?= =?UTF-8?q?]=20Improve=20control=20character=20detection=20in=20input=20va?= =?UTF-8?q?lidation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated input validation in `project/app.py` and `scripts/rename.py` to use `str.isprintable()` instead of a naive ASCII range check (`c < " "`). This ensures that the `DEL` character (0x7f) and other non-printable characters are correctly identified and rejected, mitigating risks of terminal injection or UI manipulation. Added a test case in `tests/test_app.py` to verify the fix for the `DEL` character. --- project/app.py | 2 +- scripts/rename.py | 2 +- tests/test_app.py | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/project/app.py b/project/app.py index 69b87be..e385b11 100644 --- a/project/app.py +++ b/project/app.py @@ -25,7 +25,7 @@ def main(name: str = "World"): """ if len(name) > 100: raise UsageError("Invalid name: maximum length is 100 characters.") - if any(c < " " for c in name): + if any(not c.isprintable() for c in name): raise UsageError("Invalid name: control characters are not allowed.") secho(f"Hello {name}! 👋", fg="green", bold=True) diff --git a/scripts/rename.py b/scripts/rename.py index a0dfe46..c3d56a7 100644 --- a/scripts/rename.py +++ b/scripts/rename.py @@ -78,7 +78,7 @@ def main(name: str, description: str, author: str, email: str, github: str): ]: if len(value) > 100: raise UsageError(f"Invalid {label}: maximum length is 100 characters.") - if any(c < " " for c in value): + if any(not c.isprintable() for c in value): raise UsageError(f"Invalid {label}: control characters are not allowed.") if label != "description" and '"' in value: raise UsageError(f"Invalid {label}: double quotes are not allowed.") diff --git a/tests/test_app.py b/tests/test_app.py index ef2df6c..77b7830 100644 --- a/tests/test_app.py +++ b/tests/test_app.py @@ -38,3 +38,8 @@ def test_name_control_characters(): result = runner.invoke(main, ["--name", "Injected\x1b[31mRed\x1b[0m"]) assert result.exit_code != 0 assert "control characters are not allowed" in result.output + + # Test DEL character (0x7f) which was previously missed by (c < " ") check + result = runner.invoke(main, ["--name", "test\x7f"]) + assert result.exit_code != 0 + assert "control characters are not allowed" in result.output From 8d57950b01f7881fae62f2a6c4ce46d03092ffbc Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 19 Jun 2026 10:52:06 +0000 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM?= =?UTF-8?q?]=20Improve=20control=20character=20detection=20in=20input=20va?= =?UTF-8?q?lidation=20(Addressed=20feedback)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replaced naive ASCII range check (`c < " "`) with `str.isprintable()` for robust control character detection. - Updated `project/app.py` and `scripts/rename.py`. - Added a test case in `tests/test_app.py` for the `DEL` character. - Removed unnecessary comment in `tests/test_app.py` as per review feedback. --- tests/test_app.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/test_app.py b/tests/test_app.py index 77b7830..7c414cd 100644 --- a/tests/test_app.py +++ b/tests/test_app.py @@ -39,7 +39,6 @@ def test_name_control_characters(): assert result.exit_code != 0 assert "control characters are not allowed" in result.output - # Test DEL character (0x7f) which was previously missed by (c < " ") check result = runner.invoke(main, ["--name", "test\x7f"]) assert result.exit_code != 0 assert "control characters are not allowed" in result.output