Fix shell injection vulnerability when combining systemPromptFile with prompt. The prompt could contain shell metacharacters ($(), backticks) that would be executed inside the double-quoted string. Now uses the exact same pattern as OpenCode: "$(cat 'file'; printf '\n\n'; printf %s 'prompt')" The shellEscape wraps prompt in single quotes (no shell expansion), and printf %s outputs it literally without interpretation. Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| src | ||
| package.json | ||
| tsconfig.json | ||