Check more escape sequences

Author: mrubens

webview-ui/src/utils/__tests__/command-validation.spec.ts

@@ -246,6 +246,17 @@ ls -la || echo "Failed"`
 			expect(containsDangerousSubstitution('echo "${var=\\xFF}"')).toBe(true)
 		})
 
+		it("detects parameter assignments with unicode escape sequences", () => {
+			// Unicode \u0060 is backtick
+			expect(containsDangerousSubstitution('echo "${var=\\u0060whoami\\u0060}"')).toBe(true)
+			expect(containsDangerousSubstitution('echo "${var:=\\u0060ls\\u0060}"')).toBe(true)
+			expect(containsDangerousSubstitution('echo "${var+\\u0060pwd\\u0060}"')).toBe(true)
+			expect(containsDangerousSubstitution('echo "${var:-\\u0060date\\u0060}"')).toBe(true)
+			// Test various unicode patterns
+			expect(containsDangerousSubstitution('echo "${var=\\u0000\\u0060\\u0061}"')).toBe(true)
+			expect(containsDangerousSubstitution('echo "${var=\\uFFFF}"')).toBe(true)
+		})
+
 		it("detects indirect variable references", () => {
 			// ${!var} performs indirect expansion which can be dangerous
 			expect(containsDangerousSubstitution("echo ${!var}")).toBe(true)

webview-ui/src/utils/command-validation.ts

@@ -68,7 +68,7 @@ type ShellToken = string | { op: string } | { command: string }
  * - ${var@E} - Escape sequence expansion
  * - ${var@A} - Assignment statement
  * - ${var@a} - Attribute flags
- * - ${var=value} with escape sequences - Can embed commands via \140 (backtick) or \x60
+ * - ${var=value} with escape sequences - Can embed commands via \140 (backtick), \x60, or \u0060
  * - ${!var} - Indirect variable references
  * - <<<$(...) or <<<`...` - Here-strings with command substitution
  *
@@ -89,7 +89,8 @@ export function containsDangerousSubstitution(source: string): boolean {
 	// Also check for ${var+value}, ${var:-value}, ${var:+value}, ${var:?value}
 	const parameterAssignmentWithEscapes =
 		/\$\{[^}]*[=+\-?][^}]*\\[0-7]{3}[^}]*\}/.test(source) || // octal escapes
-		/\$\{[^}]*[=+\-?][^}]*\\x[0-9a-fA-F]{2}[^}]*\}/.test(source) // hex escapes
+		/\$\{[^}]*[=+\-?][^}]*\\x[0-9a-fA-F]{2}[^}]*\}/.test(source) || // hex escapes
+		/\$\{[^}]*[=+\-?][^}]*\\u[0-9a-fA-F]{4}[^}]*\}/.test(source) // unicode escapes
 
 	// Check for indirect variable references that could execute commands
 	// ${!var} performs indirect expansion which can be dangerous with crafted variable names