From 197eda83f986aafb502f15a0b8393d5078296526 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 20:34:47 +0000 Subject: [PATCH] Escape config file name in agent prompt to prevent prompt injection JSON-encode configFileName in buildConfigUpdatePrompt, matching the existing treatment of config paths/values, so a file name containing a backtick can't break out of the prompt's code span. Co-Authored-By: mantra --- .../src/lib/remote-development-environment/config-file.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/dashboard/src/lib/remote-development-environment/config-file.ts b/apps/dashboard/src/lib/remote-development-environment/config-file.ts index f7ce04336..1ae6c9f23 100644 --- a/apps/dashboard/src/lib/remote-development-environment/config-file.ts +++ b/apps/dashboard/src/lib/remote-development-environment/config-file.ts @@ -352,9 +352,13 @@ function buildConfigUpdatePrompt(configFileName: string, configUpdate: Config): return `- ${JSON.stringify(configPath)}: set to ${JSON.stringify(value)}`; }).join("\n"); + // The file name comes from the on-disk path (effectively untrusted), so it's + // JSON-encoded for the same reason the change paths/values are above: a name + // containing a backtick would otherwise break out of this code span and could + // inject extra instructions into the prompt. return `You are editing a Hexclave / Stack Auth configuration file in place. Apply a set of configuration changes WITHOUT changing how the file is written. -Config file: \`${configFileName}\` (in the current working directory). +Config file: ${JSON.stringify(configFileName)} (in the current working directory). The file exports a \`config\` object (it may be wrapped in a helper such as \`defineStackConfig(...)\`). Some config values may be sourced from other files via imports, for example: