From babf1d6620d858c30f5204e17768037e83eb3346 Mon Sep 17 00:00:00 2001 From: Tyler Koenig Date: Sun, 17 May 2026 23:24:58 -0400 Subject: [PATCH] fix(tui): harden EDITOR handling and SQL sort/order validation Split EDITOR env var on whitespace so multi-word values like "code --wait" work correctly. Add allow-list switch for sort column and order direction at the query boundary to prevent future callers from passing unsanitized values into SQL. --- internal/db/entities.go | 12 ++++++++++-- internal/tui/commands.go | 11 +++++++---- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/internal/db/entities.go b/internal/db/entities.go index c3488f1..d73f654 100644 --- a/internal/db/entities.go +++ b/internal/db/entities.go @@ -220,12 +220,20 @@ func (s *Store) List(params ListParams) ([]*Entity, error) { } orderCol := "e.created_at" - if params.Sort == "use_count" { + switch params.Sort { + case "use_count": orderCol = "e.use_count" + case "created_at", "": + orderCol = "e.created_at" + default: + orderCol = "e.created_at" } orderDir := "DESC" - if strings.EqualFold(params.Order, "asc") { + switch strings.ToLower(params.Order) { + case "asc": orderDir = "ASC" + default: + orderDir = "DESC" } limit := params.Limit diff --git a/internal/tui/commands.go b/internal/tui/commands.go index a247cd3..d916465 100644 --- a/internal/tui/commands.go +++ b/internal/tui/commands.go @@ -3,6 +3,7 @@ package tui import ( "os" "os/exec" + "strings" "time" "github.com/atotto/clipboard" @@ -179,10 +180,12 @@ func loadTags(store *db.Store) tea.Cmd { } func editInEditor(store *db.Store, e *db.Entity) tea.Cmd { - editor := os.Getenv("EDITOR") - if editor == "" { - editor = "vi" + editorEnv := os.Getenv("EDITOR") + if editorEnv == "" { + editorEnv = "vi" } + parts := strings.Fields(editorEnv) + editor, editorArgs := parts[0], parts[1:] f, err := os.CreateTemp("", "nib-edit-*.md") if err != nil { @@ -195,7 +198,7 @@ func editInEditor(store *db.Store, e *db.Entity) tea.Cmd { } f.Close() - c := exec.Command(editor, f.Name()) + c := exec.Command(editor, append(editorArgs, f.Name())...) return tea.ExecProcess(c, func(err error) tea.Msg { defer os.Remove(f.Name()) if err != nil {