Skip to content

Commit 86db03b

Browse files
Mossakaclaude
andcommitted
fix: use JSON.stringify in error message to prevent log injection
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 763800f commit 86db03b

1 file changed

Lines changed: 3 additions & 2 deletions

File tree

src/domain-patterns.ts

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -158,13 +158,14 @@ export function validateDomainOrPattern(input: string): void {
158158
const DANGEROUS_CHARS = /[\s\0"'`;#\\]/;
159159
const match = trimmed.match(DANGEROUS_CHARS);
160160
if (match) {
161+
const safeDomainForMessage = JSON.stringify(trimmed);
161162
const charCode = match[0].charCodeAt(0);
162163
const charDesc = charCode <= 0x20 || charCode === 0x7f
163164
? `U+${charCode.toString(16).padStart(4, '0')}`
164165
: `'${match[0]}'`;
165166
throw new Error(
166-
`Invalid domain '${trimmed}': contains invalid character ${charDesc}. ` +
167-
`Domain names must not contain whitespace, quotes, semicolons, backslashes, or control characters.`
167+
`Invalid domain ${safeDomainForMessage}: contains invalid character ${charDesc}. ` +
168+
`Domain names must not contain whitespace, quotes, semicolons, backticks, hash characters, backslashes, or control characters.`
168169
);
169170
}
170171

0 commit comments

Comments
 (0)