Skip to content

Write last build tag to /tmp for statusline #2652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lawrencecchen wants to merge 1 commit into
base: main
Choose a base branch
from
+4 −0
Open

Write last build tag to /tmp for statusline #2652

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions scripts/reload.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,10 @@ if [[ -n "$TAG" && "$APP_NAME" != "$SEARCH_APP_NAME" ]]; then
CMUX_DEBUG_LOG="/tmp/cmux-debug-${TAG_SLUG}.log"
write_last_socket_path "$CMUX_SOCKET"
echo "$CMUX_DEBUG_LOG" > /tmp/cmux-last-debug-log-path || true
echo "$TAG" > /tmp/cmux-last-tag || true
if [[ -n "${CLAUDE_SESSION_ID:-}" ]]; then
echo "$TAG" > "/tmp/cmux-last-tag-${CLAUDE_SESSION_ID}" || true
Comment on lines +409 to +410
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Sanitize session ID before composing tag file path

CLAUDE_SESSION_ID is written directly into the filename (/tmp/cmux-last-tag-${CLAUDE_SESSION_ID}) without slugging/validation. If the session id ever contains path separators or traversal segments (for example a/b), the redirection fails or can target an unintended path, and the trailing || true suppresses the error so the per-session tag file is silently not updated. This breaks the new statusline behavior for those sessions; normalize the id (e.g., via sanitize_path) before using it in a filesystem path.

Useful? React with 👍 / 👎.

fi
Comment on lines +409 to +411
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Unsanitized CLAUDE_SESSION_ID in filename

The script's established pattern is to pass all env-controlled values through sanitize_path() before embedding in /tmp paths (e.g. TAG_SLUG="$(sanitize_path "$TAG")"). Using CLAUDE_SESSION_ID raw could silently write to an unintended path if it ever contained / or ..; the || true means failures go unnoticed.

Suggested change
if [[ -n "${CLAUDE_SESSION_ID:-}" ]]; then
echo "$TAG" > "/tmp/cmux-last-tag-${CLAUDE_SESSION_ID}" || true
fi
if [[ -n "${CLAUDE_SESSION_ID:-}" ]]; then
SESSION_SLUG="$(sanitize_path "${CLAUDE_SESSION_ID}")"
echo "$TAG" > "/tmp/cmux-last-tag-${SESSION_SLUG}" || true
fi

/usr/libexec/PlistBuddy -c "Add :LSEnvironment dict" "$INFO_PLIST" 2>/dev/null || true
/usr/libexec/PlistBuddy -c "Set :LSEnvironment:CMUXD_UNIX_PATH \"${CMUXD_SOCKET}\"" "$INFO_PLIST" 2>/dev/null \
|| /usr/libexec/PlistBuddy -c "Add :LSEnvironment:CMUXD_UNIX_PATH string \"${CMUXD_SOCKET}\"" "$INFO_PLIST"
Expand Down
Loading