Status Handling for /compress Command & Add "First run" settings & Save AI API info to settings.json.#24
Closed
funkpopo wants to merge 0 commit into
Closed
Status Handling for /compress Command & Add "First run" settings & Save AI API info to settings.json.#24funkpopo wants to merge 0 commit into
/compress Command & Add "First run" settings & Save AI API info to settings.json.#24funkpopo wants to merge 0 commit into
Conversation
/compress Command/compress Command & Add "First run" settings.
/compress Command & Add "First run" settings./compress Command & Add "First run" settings & Save AI API info to settings.json.
jeffreysblake
added a commit
to jeffreysblake/foragen-cli
that referenced
this pull request
Nov 9, 2025
Fix 8 CodeQL security alerts in files we modified during development: **Regex Vulnerabilities (Alerts QwenLM#25, QwenLM#17)** - loopDetectionService.ts:309,314: Fix character class ranges by placing hyphens at start (e.g., [-+|] instead of [|+-]) - shell.ts:354: Replace ReDoS-vulnerable pattern with unrolled loop pattern for git commit message extraction (prevents exponential backtracking) **URL Sanitization (Alerts QwenLM#24, QwenLM#9, QwenLM#30)** - deepseek.ts:25: Use URL.hostname instead of includes() to prevent bypass (e.g., evil.com/api.deepseek.com would have passed) - web-fetch.ts:63: Use URL.hostname for GitHub URL detection - coreToolScheduler.ts:30 (fixed by user in da5759c) **Clear-text Logging (Alerts QwenLM#23, QwenLM#22, QwenLM#21, QwenLM#20, QwenLM#19, QwenLM#18)** - errors.ts: Add sanitizeSensitiveData() function to redact API keys, tokens, passwords, and OAuth codes from error messages before logging - errors.ts:112,115: Sanitize all console.error outputs - validateNonInterActiveAuth.ts:69: Sanitize error messages before logging - index.ts:21,26,28: Sanitize FatalError messages and stack traces Security Impact: - Prevents ReDoS attacks via malicious git commit messages - Blocks URL validation bypass attempts - Protects API keys/tokens from appearing in logs All fixes maintain backward compatibility and existing functionality. Resolves CodeQL alerts: QwenLM#25, QwenLM#24, QwenLM#23, QwenLM#22, QwenLM#21, QwenLM#20, QwenLM#19, QwenLM#18, QwenLM#17, QwenLM#9
CNCSMonster
added a commit
to CNCSMonster/qwen-code
that referenced
this pull request
May 31, 2026
Source code fixes: - QwenLM#25: Add timeout to getWlPasteImageTypes (PROCESS_TIMEOUT_MS) - QwenLM#26: Add timeout to python3 spawn in BMP-to-PNG conversion - QwenLM#27: Wrap child.kill() in try-catch in timeout handlers - QwenLM#28: Replace dynamic import('node:fs/promises') with static statSync - QwenLM#30: Export resetLinuxClipboardTool() for testability - Add try-catch around spawn in checkClipboardForImage - Use stdio: ['ignore', 'ignore', 'ignore'] for python3 spawn Test fixes: - QwenLM#24: Use vi.hoisted() for mock functions (avoids hoisting issue) - QwenLM#31: Stub process.platform = 'linux' in beforeEach - Add default export to node:child_process mock - Use EventEmitter-based mock child for async behavior - All 7 tests passing
tanzhenxin
pushed a commit
that referenced
this pull request
Jun 8, 2026
…4647) * fix(clipboard): use platform-native tools for image paste on Linux Replace @teddyzhu/clipboard native module with wl-paste/xclip on Linux to fix image paste in WSL2+Wayland environments. The native module uses X11 protocol and cannot read clipboard images when the session uses Wayland (common in WSL2 with WSLg). This causes clipboardHasImage() to return false even when the clipboard contains an image. Changes: - Use wl-paste --list-types to detect images (Wayland) - Use xclip -selection clipboard -t TARGETS -o to detect images (X11) - Handle image/bmp format from Windows clipboard (WSL2 exposes BMP) - Convert BMP to PNG using Python PIL when available - Detect clipboard tool via WAYLAND_DISPLAY when XDG_SESSION_TYPE is unset - Keep @teddyzhu/clipboard as fallback for macOS/Windows Fixes #3517 Fixes #2885 * test: update clipboard tests for platform-native tools The tests were mocking @teddyzhu/clipboard but the implementation now uses platform-native tools (wl-paste/xclip) on Linux. Update mocks to test the spawn-based implementation. * fix: address critical review comments 1. Fix command injection in Python BMP-to-PNG conversion - Use sys.argv instead of string interpolation - Prevents path traversal via single-quote injection 2. Fix BMP fallback dead code - When PIL is not available, return BMP file path instead of deleting the only copy and returning false - Update saveClipboardImage to handle non-PNG return paths * fix: address review suggestions for resource leaks and robustness - #3: Add proper cleanup in saveFromCommand error paths (kill child, destroy stream) - #4: Add 5s timeout for all spawned processes to prevent TUI hangs - #7: Check exit code in checkClipboardForImage (code === 0) - #8: Move fs.mkdir inside try/catch in saveClipboardImage - #10: Merge checkWlPasteForImage/checkXclipForImage into checkClipboardForImage * fix: address all remaining review comments Source code fixes: - #25: Add timeout to getWlPasteImageTypes (PROCESS_TIMEOUT_MS) - #26: Add timeout to python3 spawn in BMP-to-PNG conversion - #27: Wrap child.kill() in try-catch in timeout handlers - #28: Replace dynamic import('node:fs/promises') with static statSync - #30: Export resetLinuxClipboardTool() for testability - Add try-catch around spawn in checkClipboardForImage - Use stdio: ['ignore', 'ignore', 'ignore'] for python3 spawn Test fixes: - #24: Use vi.hoisted() for mock functions (avoids hoisting issue) - #31: Stub process.platform = 'linux' in beforeEach - Add default export to node:child_process mock - Use EventEmitter-based mock child for async behavior - All 7 tests passing * perf: cache wl-paste --list-types result to avoid redundant calls Avoid spawning wl-paste twice on the paste hot path: 1. clipboardHasImage calls wl-paste --list-types (check) 2. saveClipboardImage calls getWlPasteImageTypes (get types) Now the result is cached after the first call and reused. Cache is reset via resetLinuxClipboardTool() for testing. * fix: address remaining review suggestions - #1: Add child.stdout error handler in saveFromCommand - #2: Add macOS/Windows test coverage for @teddyzhu/clipboard fallback - #3: Fix .replace('.png', '.bmp') to use regex /\.png$/ to prevent path corruption * fix: address critical cache invalidation and other review feedback - #1 Critical: Reset cachedWlPasteImageTypes at start of clipboardHasImage to prevent stale data between paste operations - #1 Critical: Check exit code in getWlPasteImageTypes close handler, do not cache failed results - #2: Replace statSync with async fs.stat to avoid blocking event loop - #3: Remove async from close handler, use promise chain instead - #4: Return false instead of bmpPath when PIL conversion fails, as downstream expects .png files - #5: Capture stderr from spawned processes for diagnostics * fix: address remaining code review issues - #1: Narrow detection to only report supported formats (png/bmp) - #2: Do not cache results on timeout or error - #3: Use line-level matching instead of includes('image/') - #4: Replace execSync with execFileSync to avoid shell injection - #5: Upgrade BMP→PNG failure log to warn level with install hint * fix: restore getClipboardModule import caching (regression fix) The original Qwen Code cached the @teddyzhu/clipboard module import via getClipboardModule() with cachedClipboardModule and clipboardLoadAttempted. Our refactoring removed this caching, causing the module to be re-imported on every clipboardHasImage/saveClipboardImage call. Restored the original caching mechanism for macOS/Windows fallback path. * test: add saveClipboardImage success path and cache behavior tests - Add test for successful PNG save path - Add test for cache invalidation between clipboardHasImage calls - All 11 tests passing * fix: revert execSync to fix WSL2 clipboard detection execFileSync('command', ['-v', 'wl-paste']) fails because 'command' is a shell built-in, not an executable. execSync runs through a shell so it can find 'command'. Reverted to execSync to restore clipboard tool detection on WSL2. Also fixed TypeScript errors in tests by using (child as any) for mock event emitter properties. * fix: address critical file leak and filter issues from review - #1: Clean up bmpPath in catch block when PIL conversion fails - #2: Narrow getWlPasteImageTypes filter to only image/png and image/bmp - #3: Clean up empty PNG file when size guard fails - #3b: Fix typo python3-pyl → python3-pil * test: add xclip, BMP, error path test coverage; fix weak assertion - Add xclip/X11 path tests (detection, no image, not found) - Add BMP-to-PNG conversion tests (PIL failure, prefer PNG over BMP) - Add saveFromCommand error path tests (timeout, spawn error, stdout error) - Replace tautological 'successful PNG save' assertion with proper null-on-error tests - Fix ESLint: add no-explicit-any suppressions, prefix unused setupWaylandEnv Note: xclip save success path requires createWriteStream mock that vitest cannot fully support with ...actual spread. Detection and error paths verified. 19 tests passing. * fix: remove unused _setupWaylandEnv function that breaks TS build Fixes TS6133 error caused by noUnusedLocals: true in tsconfig.json. The function was generated by test agent but never called. * fix: clean up tempFilePath on PIL conversion failure When python3 PIL conversion fails mid-write, tempFilePath (the target .png) may have been partially written. Add fs.unlink(tempFilePath) in the catch block to prevent partial file leakage. Suggested by wenshao in PR review. * fix: address review feedback on file leaks and test coverage - Add tempFilePath cleanup when python3 PIL conversion fails mid-write - Restore image/bmp detection with clarifying comment (WSL2 Wayland) - Fix stat mock syntax (remove debug console.log, simplify) - Fix originalPlatform scope (was undefined in afterEach) Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com> 19 tests passing, tsc + eslint clean. * ci: retrigger tests * fix: address review feedback on test coverage and defensive guard - Replace tautological saveClipboardImage assertion with meaningful spawn-argument verification - Wrap clipboardHasImage Linux branch in try/catch guard (preserve 'never throw, return false' contract) - Fix node:fs/promises mock to use importOriginal for indirect deps - Add readFile/writeFile/appendFile/access/copyFile/rename/rm/rmdir to mock (required by indirect deps like chatCompressionService) - Remove node:fs root mock to avoid cross-test pollution 19 tests passing, tsc + eslint clean. * fix: address review feedback on test coverage and defensive guard - Replace tautological saveClipboardImage assertion with spawn-arg verification (prefer PNG over BMP test) - Wrap clipboardHasImage Linux branch in try/catch guard - Fix node:fs/promises mock to use importOriginal for indirect deps - Add missing fs/promises methods (readFile etc.) required by deps - Remove node:fs root mock entirely to avoid cross-test pollution - Document xclip/BMP save success path: blocked by vitest built-in module mock limitation 19 tests passing, tsc + eslint clean. * fix: secure clipboard temp filename with random UUID suffix Add random UUID to temp filename to prevent predictable path symlink attacks (Critical review feedback). The UUID makes the path unguessable, eliminating the symlink attack vector. 19 tests passing, tsc + eslint clean. * fix: add O_EXCL protection against symlink attacks in saveFromCommand Use fs.open with O_EXCL flag (O_WRONLY|O_CREAT|O_EXCL) to atomically create the file, refusing to follow symlinks. Combined with the random UUID filename from the previous commit, this fully addresses the symlink attack vector identified in review. Also update 'prefer PNG over BMP' test: with O_EXCL, the save path fails when mkdir is mocked (directory doesn't exist), so the test now verifies format detection only rather than the full save pipeline. 19 tests passing, tsc + eslint clean. * fix: capture python3 stderr for BMP conversion errors Use stdio 'pipe' for stderr instead of 'ignore' so users see useful diagnostic messages (e.g. ModuleNotFoundError: No module named PIL) when python3 BMP-to-PNG conversion fails. 19 tests passing, tsc + eslint clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TLDR
This pull request addresses the status handling after executing the /compress command. Currently, some users experience difficulty in accurately determining if the command is actively running when their historical content is too long; they only receive a notification once the command has completed.
Adding a status display will provide users with more comprehensive visual feedback, significantly improving the overall user experience.
Dive Deeper
Reviewer Test Plan
Testing Matrix
Linked issues / bugs