Codex review R1: fix spec/code mismatch on paste tier order, escape \\r in shellEscapePosix

nedtwigg · nedtwigg · commit f9193c5338c9 · 2026-04-22T19:56:31.000Z
diff --git a/docs/specs/mouse-and-clipboard.md b/docs/specs/mouse-and-clipboard.md
@@ -302,9 +302,9 @@ The bracketed-paste mode is read at paste time from xterm's public `terminal.mod
 
 Paste reads the clipboard in three tiers, falling through in order:
 
-1. **Plain text.** `navigator.clipboard.readText()`. If non-empty, the string is written to the PTY (with bracketed-paste wrapping when enabled by the inside program).
-2. **File references.** If the clipboard has no text but carries OS file references (Finder/Explorer Copy of a file), each path is shell-escaped and the space-joined list is written to the PTY with a trailing space so the next token starts cleanly.
-3. **Raw image data.** If neither of the above matches and the clipboard holds image bytes (e.g. a `Cmd+Shift+4` screenshot), the bytes are written to `$TMPDIR/mouseterm-drops/<uuid>.png` and that single path is pasted as in tier 2.
+1. **File references.** The platform adapter checks for OS file references (Finder/Explorer Copy of a file) via the sidecar/extension host. If present, each path is shell-escaped and the space-joined list is written to the PTY with a trailing space so the next token starts cleanly. Files are checked first so that a file-ref clipboard never reaches `navigator.clipboard.readText()` — on macOS WKWebView that call can trigger a native paste-permission popup when the clipboard came from another app.
+2. **Plain text.** `navigator.clipboard.readText()`. If non-empty, the string is written to the PTY (with bracketed-paste wrapping when enabled by the inside program).
+3. **Raw image data.** If neither of the above matches and the clipboard holds image bytes (e.g. a `Cmd+Shift+4` screenshot), the bytes are written to `$TMPDIR/mouseterm-drops/<uuid>.png` and that single path is pasted as in tier 1.
 
 Each tier is implemented by a shared Node module (`standalone/sidecar/clipboard-ops.js`) that shells out to the OS-native clipboard tool: `osascript` on macOS, `Get-Clipboard` on Windows, `wl-paste`/`xclip` on Linux. The Tauri build reaches it through the existing sidecar; the VSCode build calls into the same module from its extension host. If every tier comes back empty, paste is a silent no-op.
 
diff --git a/lib/src/lib/shell-escape.test.ts b/lib/src/lib/shell-escape.test.ts
@@ -26,6 +26,10 @@ describe('shellEscapePosix', () => {
     expect(shellEscapePosix('a\\b.png')).toBe('a\\\\b.png');
   });
 
+  it('backslash-escapes carriage returns (security: prevents command injection)', () => {
+    expect(shellEscapePosix('a\rb')).toBe('a\\\rb');
+  });
+
   it('backslash-escapes shell metacharacters', () => {
     expect(shellEscapePosix('a$b')).toBe('a\\$b');
     expect(shellEscapePosix('a`b')).toBe('a\\`b');
diff --git a/lib/src/lib/shell-escape.ts b/lib/src/lib/shell-escape.ts
@@ -11,7 +11,7 @@ function detectIsWindows(): boolean {
 // metacharacter instead of wrapping in quotes. TUIs like `claude` recognize
 // backslash-escaped tokens as filesystem paths where a single-quoted whole
 // path gets treated as opaque pasted text.
-const POSIX_UNSAFE = /([ \t\n!"#$&'()*;<>?[\\\]`{|}~])/g;
+const POSIX_UNSAFE = /([ \t\n\r!"#$&'()*;<>?[\\\]`{|}~])/g;
 
 export function shellEscapePosix(input: string): string {
   if (input === '') return "''";
