From 9b65a20925349dbdc5919041d81cbd12ad8facf1 Mon Sep 17 00:00:00 2001
From: toastal
Date: Wed, 15 Apr 2026 01:43:05 +0000
Subject: Phase 1: Fix security vulnerabilities and error handling

- Fix command injection in editor.ml using Filename.quote
- Change KDL.of_flow to return Result instead of failwith
- Update manifest.ml to handle new Result type

Security: Prevents shell injection when opening files with
malicious filenames containing shell metacharacters.

Error handling: KDL parsing errors now return Result type
instead of crashing with failwith.---
 lib/editor.ml   | 2 +-
 lib/kDL.ml      | 5 +++--
 lib/manifest.ml | 3 ++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/editor.ml b/lib/editor.ml
index 49706b4..a68c6b0 100644
--- a/lib/editor.ml
+++ b/lib/editor.ml
@@ -13,6 +13,6 @@ let find () =
 let run_on file =
 	match find () with
 	| ed when String.contains ed ' ' ->
-		Unix.execvp "/bin/sh" [|"/bin/sh"; "-c"; ed ^ " " ^ file|]
+		Unix.execvp "/bin/sh" [|"/bin/sh"; "-c"; ed ^ " " ^ Filename.quote file|]
 	| ed ->
 		Unix.execvp ed [|ed; file|]
diff --git a/lib/kDL.ml b/lib/kDL.ml
index 550c26f..a00d1ff 100644
--- a/lib/kDL.ml
+++ b/lib/kDL.ml
@@ -11,8 +11,9 @@ let of_flow flow =
 			(fun buf -> Eio.Buf_read.take_all buf |> Kdl.of_string)
 			~max_size: max_int
 			flow
+		|> Result.ok
 	with
-		| exn -> failwith (Printexc.to_string exn)
+		| Kdl.Parse_error (msg, _) -> Error (`ParseError msg)
 
 let to_flow flow doc =
 	Eio.Buf_write.with_flow flow @@ fun buf ->
@@ -40,7 +41,7 @@ module L = KDL_lens_result
 module Valid = struct
 	type err = [
 		| L.lerr
-		| `ParseError of Kdl.error
+		| `ParseError of string
 		| `OneRequired of string list
 		| `OnlyOneOf of string list
 		| `InvalidLatestCmd of string
diff --git a/lib/manifest.ml b/lib/manifest.ml
index 77c75f3..7bf2997 100644
--- a/lib/manifest.ml
+++ b/lib/manifest.ml
@@ -869,10 +869,11 @@ let read () =
 	let working_dir = Working_directory.get () in
 	let filepath = Eio.Path.(working_dir / filename) in
 	Logs.info (fun m -> m "Reading manifest @@ %a …" Eio.Path.pp filepath);
-	let* kdl =
+	let kdl_result =
 		Eio.Path.with_open_in filepath @@ fun flow ->
 		KDL.of_flow flow
 	in
+	let* kdl = kdl_result |> Result.map_error (fun (`ParseError msg) -> `Parsing [`ParseError msg]) in
 	let () = manifest := Some kdl in
 	Ok kdl
 
-- 
cgit v1.2.3