From 6a5c2ba53b734f3cdd8daacbd49f68f3e6c8c167 Mon Sep 17 00:00:00 2001 From: xiaolai Date: Thu, 9 Apr 2026 05:48:50 +0800 Subject: [PATCH] fix: quote \$ARGUMENTS in cancel, result, and status commands (#168) Unquoted \$ARGUMENTS in the ! shell commands allowed shell metacharacters in user-supplied job IDs to be expanded before Node received them (e.g., `task-123; malicious-cmd` would execute the trailing command). This is inconsistent with review.md and adversarial-review.md, which both wrap "$ARGUMENTS" in double quotes. Co-authored-by: claude[bot] Co-authored-by: Claude Code --- plugins/codex/commands/cancel.md | 2 +- plugins/codex/commands/result.md | 2 +- plugins/codex/commands/status.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/codex/commands/cancel.md b/plugins/codex/commands/cancel.md index 4be495c..a1472b8 100644 --- a/plugins/codex/commands/cancel.md +++ b/plugins/codex/commands/cancel.md @@ -5,4 +5,4 @@ disable-model-invocation: true allowed-tools: Bash(node:*) --- -!`node "${CLAUDE_PLUGIN_ROOT}/scripts/codex-companion.mjs" cancel $ARGUMENTS` +!`node "${CLAUDE_PLUGIN_ROOT}/scripts/codex-companion.mjs" cancel "$ARGUMENTS"` diff --git a/plugins/codex/commands/result.md b/plugins/codex/commands/result.md index 6d32f7d..3abc2d9 100644 --- a/plugins/codex/commands/result.md +++ b/plugins/codex/commands/result.md @@ -5,7 +5,7 @@ disable-model-invocation: true allowed-tools: Bash(node:*) --- -!`node "${CLAUDE_PLUGIN_ROOT}/scripts/codex-companion.mjs" result $ARGUMENTS` +!`node "${CLAUDE_PLUGIN_ROOT}/scripts/codex-companion.mjs" result "$ARGUMENTS"` Present the full command output to the user. Do not summarize or condense it. Preserve all details including: - Job ID and status diff --git a/plugins/codex/commands/status.md b/plugins/codex/commands/status.md index e18c1cd..8f70663 100644 --- a/plugins/codex/commands/status.md +++ b/plugins/codex/commands/status.md @@ -5,7 +5,7 @@ disable-model-invocation: true allowed-tools: Bash(node:*) --- -!`node "${CLAUDE_PLUGIN_ROOT}/scripts/codex-companion.mjs" status $ARGUMENTS` +!`node "${CLAUDE_PLUGIN_ROOT}/scripts/codex-companion.mjs" status "$ARGUMENTS"` If the user did not pass a job ID: - Render the command output as a single Markdown table for the current and past runs in this session.