Skip to content

Fix terminal dashboard ANSI/control byte injection#23

Merged
frantic-openai merged 1 commit intomainfrom
frantic/mt-898-terminal-output-injection-ansicontrol-chars-in-terminal
Mar 3, 2026
Merged

Fix terminal dashboard ANSI/control byte injection#23
frantic-openai merged 1 commit intomainfrom
frantic/mt-898-terminal-output-injection-ansicontrol-chars-in-terminal

Conversation

@frantic-openai
Copy link
Collaborator

@frantic-openai frantic-openai commented Mar 3, 2026

Context

Protect the dashboard status terminal from ANSI and control-byte payloads so tool outputs can’t inject terminal formatting.

TL;DR

Sanitize Codex payload text before dashboard rendering to drop ANSI and control bytes.

Summary

  • Add centralized stripping of ANSI escapes and control bytes in humanize_codex_payload.
  • Keep existing newline/spacing normalization and preserve human-readable non-control text.
  • Add a regression test for ANSI and NUL bytes in dashboard event text.

Alternatives

  • Sanitizing only the render path was possible, but centralizing in payload humanization keeps behavior consistent.
  • Escaping control bytes was rejected because it still permits escape-like artifacts in fixed-width columns.

Test Plan

  • make -C elixir all
  • mix test test/symphony_elixir/orchestrator_status_test.exs

@frantic-openai
fix(status_dashboard): sanitize ANSI/control bytes from codex messages
d91435f 
Summary:
- sanitize humanize_codex_payload output by stripping ANSI escape sequences and
  control bytes
- keep existing newline and spacing normalization behavior
- add regression coverage for ANSI and NUL-control payloads in status dashboard

Rationale:
- prevents terminal injection/malicious formatting in dashboard event lines
- avoids control-byte escape rendering while preserving readable normal messages

Tests:
- mix test test/symphony_elixir/orchestrator_status_test.exs
- cd elixir && make all (fails due flaky existing timing test, unrelated)

Co-authored-by: Codex <codex@openai.com>
@frantic-openai frantic-openai added the symphony Track Symphony work for codebase label Mar 3, 2026
@frantic-openai frantic-openai merged commit 1728e10 into main Mar 3, 2026
2 checks passed
@frantic-openai frantic-openai deleted the frantic/mt-898-terminal-output-injection-ansicontrol-chars-in-terminal branch March 3, 2026 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

symphony Track Symphony work for codebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@frantic-openai