mirror of
https://github.com/catlog22/Claude-Code-Workflow.git
synced 2026-02-06 01:54:11 +08:00
ad6c18f615
BREAKING: executeCodexLens now uses shell:false to prevent RCE Security fixes: - Remove shell:true from spawn() to prevent command injection (CRITICAL) - Add .env value escaping to prevent injection when file is sourced - Strengthen path validation with startsWith to block subdirectories - Add path traversal detection (../) - Improve JSON extraction to handle trailing CLI output Features: - Refactor CodexLens panel to tabbed layout (Overview/Settings/Search/Advanced) - Add environment variables editor for ~/.codexlens/.env - Add API concurrency settings (max_workers, batch_size) - Add escapeHtml() helper to prevent XSS - Implement merge mode for env saving to preserve custom variables