git-watchtower 2.3.24 → 2.3.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "git-watchtower",
-  "version": "2.3.24",
+  "version": "2.3.26",
   "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
   "main": "bin/git-watchtower.js",
   "bin": {

package/src/ui/ansi.js

@@ -602,25 +602,79 @@ function style(text, ...styles) {
 }
 
 /**
- * Pad a string on the right, truncating if too long (uses raw string length)
+ * Walk graphemes up to a column budget, returning the longest prefix
+ * whose visible width does not exceed `maxCols`. Drops one grapheme
+ * past the budget (mirrors how truncate() consumes — never mid-cut
+ * a wide char or surrogate pair).
+ * @param {string} str
+ * @param {number} maxCols
+ * @returns {string}
+ * @private
+ */
+function _sliceByColumns(str, maxCols) {
+  if (maxCols <= 0) return '';
+  let acc = '';
+  let used = 0;
+  if (_graphemeSegmenter) {
+    for (const { segment } of _graphemeSegmenter.segment(str)) {
+      const w = visibleLength(segment);
+      if (used + w > maxCols) break;
+      acc += segment;
+      used += w;
+    }
+  } else {
+    for (const ch of str) {
+      const w = _codePointWidth(ch.codePointAt(0));
+      if (used + w > maxCols) break;
+      acc += ch;
+      used += w;
+    }
+  }
+  return acc;
+}
+
+/**
+ * Pad a string on the right to a target visible-column width.
+ * Truncates (without adding an ellipsis) when the input already
+ * exceeds the budget.
+ *
+ * Width is measured in display columns via visibleLength, NOT UTF-16
+ * `.length`. ASCII-only inputs keep their previous behaviour because
+ * `.length === visibleLength` for them. CJK / wide emoji / ZWJ
+ * clusters now pad by the columns they actually render in, and the
+ * truncate path slices on grapheme boundaries so a wide character
+ * isn't cut mid-byte.
+ *
+ * SGR-styled strings (e.g. `\x1b[31mhi\x1b[0m`) previously had their
+ * raw-byte length compared against `len`, so the colour wrapper made
+ * the string look "too long" and `substring(0, len)` cut the escape
+ * sequence in half — leaving the terminal in a stuck colour state.
+ * Now the width comparison uses visibleLength which strips ANSI
+ * before measuring, and the slice helper preserves SGR runs because
+ * they have width 0.
+ *
  * @param {string} str - String to pad
- * @param {number} len - Target length
+ * @param {number} len - Target visible-column width
  * @returns {string}
  */
 function padRight(str, len) {
-  if (str.length >= len) return str.substring(0, len);
-  return str + ' '.repeat(len - str.length);
+  const cols = visibleLength(str);
+  if (cols >= len) return _sliceByColumns(str, len);
+  return str + ' '.repeat(len - cols);
 }
 
 /**
- * Pad a string on the left, truncating if too long (uses raw string length)
+ * Pad a string on the left to a target visible-column width.
+ * Same column-vs-codeunit semantics as {@link padRight}.
+ *
  * @param {string} str - String to pad
- * @param {number} len - Target length
+ * @param {number} len - Target visible-column width
  * @returns {string}
  */
 function padLeft(str, len) {
-  if (str.length >= len) return str.substring(0, len);
-  return ' '.repeat(len - str.length) + str;
+  const cols = visibleLength(str);
+  if (cols >= len) return _sliceByColumns(str, len);
+  return ' '.repeat(len - cols) + str;
 }
 
 /**

package/src/utils/browser.js

@@ -7,17 +7,42 @@ const { execFile } = require('child_process');
 
 /**
  * Validate that a string is a safe URL to pass to OS open commands.
- * Rejects URLs containing shell metacharacters that could lead to
- * command injection when passed through cmd.exe on Windows.
+ *
+ * Rejects:
+ * - non-string / empty input
+ * - schemes other than http(s) / file
+ * - control characters in any input (would mangle argv parsing on every
+ *   open-tool we target)
+ * - on Windows only: cmd.exe shell metacharacters (`& | < > ^ " ! %`)
+ *   because the Windows path passes the URL through `cmd.exe /c start`
+ *   to invoke the `start` shell builtin. macOS (`open`) and Linux
+ *   (`xdg-open`) go through `execFile` with an args array — no shell
+ *   involved — so those characters are safe to pass verbatim there.
+ *
+ * The platform-aware split fixes a real-world bug: legitimate URLs
+ * containing `&` (query separators), `%` (percent-encoding — produced
+ * by `encodeURIComponent` for any branch name with `/`), or `!` were
+ * being rejected on macOS/Linux where they pose no shell-injection
+ * risk. The TUI's "open branch on web" action silently no-op'd for
+ * any branch like `feat/my-thing` because its built URL contained
+ * `feat%2Fmy-thing`.
+ *
  * @param {string} url
+ * @param {string} [platform=process.platform] - Override for tests.
  * @returns {boolean}
  */
-function isSafeUrl(url) {
+function isSafeUrl(url, platform) {
+  if (platform === undefined) platform = process.platform;
   if (!url || typeof url !== 'string') return false;
   // Must start with http://, https://, or file://
   if (!/^https?:\/\/|^file:\/\//i.test(url)) return false;
-  // Reject shell metacharacters that cmd.exe would interpret
-  if (/[&|<>^"!%]/.test(url)) return false;
+  // Reject embedded control bytes regardless of platform — every
+  // open-tool's argv parser would mangle them, and there is no
+  // legitimate reason for a URL to contain them.
+  // eslint-disable-next-line no-control-regex
+  if (/[\x00-\x1f\x7f]/.test(url)) return false;
+  // Windows-only: reject the chars cmd.exe interprets in unquoted args.
+  if (platform === 'win32' && /[&|<>^"!%]/.test(url)) return false;
   return true;
 }