fix: add PowerShell string escaping for security best practices
Adds proper PowerShell escaping to prevent theoretical command injection in Start-Process arguments on Windows. Security Context: - All paths (bunPath, script, MARKETPLACE_ROOT) are application-controlled - Not user input - derived from system paths and installation directories - If attacker could modify these, they already have filesystem access - This includes direct access to ~/.claude-mem/claude-mem.db - Nevertheless, proper escaping follows security best practices Changes: - Added escapePowerShellString() helper for PowerShell single-quote escaping - Escapes all path arguments before PowerShell command construction - Added security context comment explaining threat model Fixes: Security concern raised in PR #339 review 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Alex Newman
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
+12
-12
File diff suppressed because one or more lines are too long
+12
-12
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Reference in New Issue
Block a user