Prevent Lua injection in Neovim error notifications (#3277)

phillco · web-flow · commit 629033ca283c · 2026-05-22T16:33:01.000+02:00
### Motivation - Prevent execution of attacker-controlled Lua by removing string interpolation of error messages into generated Lua code for Neovim notifications. ### Description - Replace unsafe interpolation in `showErrorMessage` with an argument-bound call by using `vim.notify(...)` as the Lua snippet and passing the `message` via `executeLua` arguments so user text is treated as data. ### Testing - Ran the repository lint suite with `pnpm run lint`, which completed successfully. ------ [Codex Task](https://chatgpt.com/codex/cloud/tasks/task_e_6a0a285bb2708333beb624ab75faffbd)
diff --git a/packages/lib-neovim-common/src/neovimApi.ts b/packages/lib-neovim-common/src/neovimApi.ts
@@ -164,6 +164,6 @@ export async function showErrorMessage(
   client: NeovimClient,
   message: string,
 ): Promise<void> {
-  const luaCode = `vim.notify("${message}")`;
-  await client.executeLua(luaCode, []);
+  const luaCode = "vim.notify(...)";
+  await client.executeLua(luaCode, [message]);
 }

Original file line number	Diff line number	Diff line change
`@@ -164,6 +164,6 @@ export async function showErrorMessage(`
`164`	`164`	`client: NeovimClient,`
`165`	`165`	`message: string,`
`166`	`166`	`): Promise<void> {`
`167`		- const luaCode = `vim.notify("${message}")`;
`168`		`- await client.executeLua(luaCode, []);`
	`167`	`+ const luaCode = "vim.notify(...)";`
	`168`	`+ await client.executeLua(luaCode, [message]);`
`169`	`169`	`}`