fix: batch G — security hardening (pipe spoof warning, jsonEscaped error, log sanitize)

Author: DeliciousBuding

internal/client/browser.go

@@ -260,7 +260,10 @@ func isDebuggerError(err error) bool {
 // in JavaScript string literals (e.g., inside Runtime.evaluate expressions).
 // Unlike Go's %q, json.Marshal uses the same escaping rules as JavaScript.
 func jsonEscaped(s string) string {
-	b, _ := json.Marshal(s)
+	b, err := json.Marshal(s)
+	if err != nil {
+		return `""`
+	}
 	return string(b)
 }
 

internal/client/client.go

@@ -52,6 +52,13 @@ func Connect(pipeName string, logger *log.Logger) (*Client, error) {
 				"  4. The extension has connected to Codex Desktop (open a Codex chat once to trigger initialization)")
 		}
 
+		// The pipe prefix namespace is flat: any local process can create pipes with
+		// the "codex-browser-use-" prefix. When multiple pipes exist, an attacker
+		// could register a fake pipe before the legitimate Codex Desktop starts.
+		if len(pipes) > 1 && logger != nil {
+			logger.Printf("Warning: multiple codex-browser-use pipes found (%d). This may indicate stale or unauthorized pipes.", len(pipes))
+		}
+
 		// Try each pipe until one connects AND passes health check
 		var lastErr error
 		for _, p := range pipes {

internal/protocol/protocol.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"strings"
 )
 
 // JSON-RPC 2.0 message types (Codex uses JSON-RPC without the "jsonrpc":"2.0" field on responses)
@@ -32,7 +33,9 @@ type ErrorObject struct {
 }
 
 func (e *ErrorObject) Error() string {
-	return fmt.Sprintf("json-rpc error %d: %s", e.Code, e.Message)
+	msg := strings.ReplaceAll(e.Message, "\n", "\\n")
+	msg = strings.ReplaceAll(msg, "\r", "\\r")
+	return fmt.Sprintf("json-rpc error %d: %s", e.Code, msg)
 }
 
 // SessionParams are injected into every request's params