npm - git-watchtower - Versions diffs - 2.3.5 → 2.3.7 - Mend

git-watchtower 2.3.5 → 2.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/bin/git-watchtower.js CHANGED Viewed

@@ -859,7 +859,7 @@ let verySlowFetchWarningShown = false;
 let pollIntervalId = null;
 // ANSI escape codes and box drawing imported from src/ui/ansi.js
-const { ansi, box, truncate, sparkline: uiSparkline, visibleLength, stripAnsi, padRight, padLeft, getMaxBranchesForScreen: calcMaxBranches, drawBox: renderBox, clearArea: renderClearArea } = require('../src/ui/ansi');
+const { ansi, box, truncate, sparkline: uiSparkline, visibleLength, stripAnsi, sanitizeForRender, padRight, padLeft, getMaxBranchesForScreen: calcMaxBranches, drawBox: renderBox, clearArea: renderClearArea } = require('../src/ui/ansi');
 // Error detection utilities imported from src/utils/errors.js
 const { isAuthError, isMergeConflict, isNetworkError } = require('../src/utils/errors');
@@ -1111,10 +1111,16 @@ function getCasinoMessage(type) {
 function addLog(message, type = 'info') {
   const icons = { info: '○', success: '✓', warning: '●', error: '✗', update: '⟳' };
   const colors = { info: 'white', success: 'green', warning: 'yellow', error: 'red', update: 'cyan' };
-  // Collapse any whitespace (newlines, tabs, CRs) into a single space so that
-  // multi-line content (e.g. git stderr from a failed auto-pull) cannot leak
-  // cursor movement into the rendered box and corrupt the surrounding UI.
-  const safeMessage = String(message == null ? '' : message).replace(/\s+/g, ' ').trim();
+  // Collapse any whitespace (newlines, tabs, CRs) into a single space, then
+  // strip dangerous escape sequences (cursor moves, screen clears, OSC,
+  // bell, etc.). git stderr and remote git output regularly contain ANSI
+  // colour AND raw control codes; without sanitising, a colourised
+  // `git fetch` error or a malicious commit subject can corrupt the
+  // rendered box. SGR colour codes survive — sanitizeForRender preserves
+  // them so any styling we want stays.
+  const safeMessage = sanitizeForRender(
+    String(message == null ? '' : message).replace(/\s+/g, ' ').trim()
+  );
   const entry = {
     message: safeMessage, type,
     timestamp: new Date().toLocaleTimeString(),

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "git-watchtower",
-  "version": "2.3.5",
+  "version": "2.3.7",
   "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
   "main": "bin/git-watchtower.js",
   "bin": {

package/src/casino/index.js CHANGED Viewed

@@ -283,6 +283,16 @@ function startSlotReels(renderCallback) {
  * @param {Object|null} winLevel - The win level object from getWinLevel()
  */
 function stopSlotReels(hadUpdates = false, renderCallback = null, winLevel = null) {
+  // No-op when casino mode is off. The bin's polling path captures
+  // `casinoOn` once at the top of pollGitChanges and continues to use that
+  // snapshot for the rest of the cycle, so a poll completing AFTER the
+  // user toggled casino off would otherwise install a fresh
+  // slotResultInterval that fires render() ~20× over the next 3s. The
+  // display getters are already guarded by `casinoEnabled`, so the user
+  // sees nothing — but render() still burns full-screen redraws and the
+  // interval keeps a closure alive. Drop the call cleanly here instead.
+  if (!casinoEnabled) return;
   if (slotReelInterval) {
     clearInterval(slotReelInterval);
     slotReelInterval = null;

package/src/ui/ansi.js CHANGED Viewed

@@ -282,14 +282,79 @@ const indicators = {
  * Helper functions for working with ANSI codes
  */
+// Match any ECMA-48 CSI sequence: ESC [ <params> <intermediates> <final byte>.
+// final byte is in 0x40-0x7E. Covers SGR (m), cursor movement (A-H), erase
+// (J/K), scroll, mode set/reset (h/l), and everything else terminals
+// recognise via CSI.
+// eslint-disable-next-line no-control-regex
+const CSI_RE = /\x1b\[[\x30-\x3f]*[\x20-\x2f]*[\x40-\x7e]/g;
+// Match CSI sequences that are NOT SGR (final byte 'm' / 0x6D). Used by the
+// render-safe sanitiser to drop dangerous controls while preserving colour.
+// eslint-disable-next-line no-control-regex
+const NON_SGR_CSI_RE = /\x1b\[[\x30-\x3f]*[\x20-\x2f]*[\x40-\x6c\x6e-\x7e]/g;
+// Match OSC sequences: ESC ] ... terminator (BEL or ESC \). These set
+// terminal title, hyperlinks, etc. — all undesirable in untrusted input.
+// eslint-disable-next-line no-control-regex
+const OSC_RE = /\x1b\][\s\S]*?(?:\x07|\x1b\\)/g;
+// Match other 2-byte ESC sequences (Fe codes 0x40-0x5F) excluding CSI ([)
+// and OSC (]) which are handled separately above.
+// eslint-disable-next-line no-control-regex
+const ESC_RE = /\x1b[@-Z\\-_]/g;
+// Match dangerous C0 control characters. Whitespace (\t, \n, \r) and ESC
+// (\x1b) are excluded — ESC is consumed by the escape-sequence regexes
+// above, and SGR codes preserved by sanitizeForRender contain it. Bell,
+// BS, VT, FF, SO, SI, DEL, etc. all get stripped.
+// eslint-disable-next-line no-control-regex
+const C0_RE = /[\x00-\x08\x0b\x0c\x0e-\x1a\x1c-\x1f\x7f]/g;
 /**
- * Strip ANSI codes from a string
+ * Strip ALL ANSI escape sequences and dangerous C0 control characters.
+ * Use this for measuring display width or for fully sanitising untrusted
+ * input that won't be styled (e.g. JSON pushed to the web dashboard).
+ *
+ * Catches CSI (cursor moves, screen clears, SGR colour), OSC (terminal
+ * title), other 2-byte ESC sequences, and dangerous C0 controls (bell,
+ * backspace, etc). Preserves whitespace (\t, \n, \r).
+ *
  * @param {string} str - String potentially containing ANSI codes
  * @returns {string} String with ANSI codes removed
  */
 function stripAnsi(str) {
-  // eslint-disable-next-line no-control-regex
-  return str.replace(/\x1b\[[0-9;]*m/g, '');
+  return String(str)
+    .replace(OSC_RE, '')
+    .replace(CSI_RE, '')
+    .replace(ESC_RE, '')
+    .replace(C0_RE, '')
+    // Final pass: any stray ESC bytes left over from malformed sequences.
+    // Display surfaces that ask for "no escapes" should never see one.
+    // eslint-disable-next-line no-control-regex
+    .replace(/\x1b/g, '');
+}
+/**
+ * Sanitise a string for safe terminal rendering: strip dangerous escape
+ * sequences (cursor moves, screen clears, OSC terminal-title, bell, etc.)
+ * while PRESERVING SGR colour/style codes so legitimate styling we built
+ * ourselves still renders.
+ *
+ * Use this on any string that came from outside (commit subjects, branch
+ * names, git stderr, PR titles) before it flows to the renderer. A
+ * malicious commit subject containing `\x1b[2J` would otherwise clear the
+ * screen on every render.
+ *
+ * @param {string} str - Untrusted string that will be written to a TTY
+ * @returns {string} String with dangerous escapes removed, SGR preserved
+ */
+function sanitizeForRender(str) {
+  return String(str)
+    .replace(OSC_RE, '')
+    .replace(NON_SGR_CSI_RE, '')
+    .replace(ESC_RE, '')
+    .replace(C0_RE, '');
 }
 /**
@@ -302,19 +367,27 @@ function visibleLength(str) {
 }
 /**
- * Truncate a string to a maximum visible length, preserving ANSI codes
- * @param {string} str - String to truncate
+ * Truncate a string to a maximum visible length, preserving SGR colour
+ * codes but stripping any other escape sequences (cursor movement, screen
+ * clears, OSC, bell, etc.). This guarantees that even short, non-truncated
+ * strings cannot leak terminal-corrupting escapes to the renderer.
+ *
+ * @param {string} str - String to truncate (may contain SGR + dangerous escapes)
  * @param {number} maxLen - Maximum visible length
  * @param {string} [suffix='…'] - Suffix to append if truncated
  * @returns {string} Truncated string
  */
 function truncate(str, maxLen, suffix = '…') {
-  const visible = stripAnsi(str);
+  // Strip dangerous escapes up front so the fast-path can never return a
+  // raw input with cursor/screen-control sequences in it. SGR survives.
+  const safeStr = sanitizeForRender(str);
+  const visible = stripAnsi(safeStr);
   if (visible.length <= maxLen) {
-    return str;
+    return safeStr;
   }
-  // Simple approach: strip ANSI, truncate, add suffix and reset
+  // Long-string path: drop ALL escapes (including SGR), truncate, append
+  // ellipsis + reset. Existing behaviour, kept for layout determinism.
   const truncated = visible.slice(0, maxLen - suffix.length);
   return truncated + suffix + ansi.reset;
 }
@@ -497,6 +570,7 @@ module.exports = {
   generateSparkline,
   indicators,
   stripAnsi,
+  sanitizeForRender,
   visibleLength,
   truncate,
   pad,