Skip to content

security

security

Terminal output sanitization.

Strings derived from external sources (SSH key comments, file paths, credential names, JSON config values) may contain ANSI escape sequences or other C0/C1 control characters. Printing them raw to a terminal allows output spoofing, title manipulation, or clipboard injection via OSC 52 (CWE-150).

sanitize_tty strips these before display.

__all__ = ['sanitize_tty'] module-attribute

sanitize_tty(s)

Replace terminal control characters with safe representations.

Whitespace controls (newline, carriage return, tab) become spaces. All other characters in Unicode category C (control, format, surrogate, private use, unassigned) are rendered as \xNN hex escapes. Printable text passes through unchanged.

Source code in src/terok_util/security.py 
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
def sanitize_tty(s: str) -> str:
    """Replace terminal control characters with safe representations.

    Whitespace controls (newline, carriage return, tab) become spaces.
    All other characters in Unicode category ``C`` (control, format,
    surrogate, private use, unassigned) are rendered as ``\\xNN`` hex
    escapes.  Printable text passes through unchanged.
    """
    out: list[str] = []
    for ch in s:
        if ch in ("\n", "\r", "\t"):
            out.append(" ")
        elif unicodedata.category(ch).startswith("C"):
            out.append(f"\\x{ord(ch):02x}")
        else:
            out.append(ch)
    return "".join(out)