From ee6d0bd321796cf06ecd1737ae6e2e5252d492f6 Mon Sep 17 00:00:00 2001
From: David Rudduck <47308254+davidrudduck@users.noreply.github.com>
Date: Thu, 19 Feb 2026 21:17:06 +1000
Subject: [PATCH] fix(security): escape backticks in exec-approval command
 previews (#20854)

Command text displayed in Discord exec-approval embeds was not sanitized,
allowing crafted commands containing backticks to break out of the markdown
code block and inject arbitrary Discord formatting. This fix inserts a
zero-width space before each backtick to neutralize markdown injection.
---
 src/discord/monitor/exec-approvals.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/discord/monitor/exec-approvals.ts b/src/discord/monitor/exec-approvals.ts
index 6be9163db8..3acab4e439 100644
--- a/src/discord/monitor/exec-approvals.ts
+++ b/src/discord/monitor/exec-approvals.ts
@@ -230,8 +230,8 @@ function createExecApprovalRequestContainer(params: {
   actionRow?: Row<Button>;
 }): ExecApprovalContainer {
   const commandText = params.request.request.command;
-  const commandPreview =
-    commandText.length > 1000 ? `${commandText.slice(0, 1000)}...` : commandText;
+  const commandRaw = commandText.length > 1000 ? `${commandText.slice(0, 1000)}...` : commandText;
+  const commandPreview = commandRaw.replace(/`/g, "\u200b`");
   const expiresAtSeconds = Math.max(0, Math.floor(params.request.expiresAtMs / 1000));
 
   return new ExecApprovalContainer({
@@ -255,7 +255,8 @@ function createResolvedContainer(params: {
   accountId: string;
 }): ExecApprovalContainer {
   const commandText = params.request.request.command;
-  const commandPreview = commandText.length > 500 ? `${commandText.slice(0, 500)}...` : commandText;
+  const commandRaw = commandText.length > 500 ? `${commandText.slice(0, 500)}...` : commandText;
+  const commandPreview = commandRaw.replace(/`/g, "\u200b`");
 
   const decisionLabel =
     params.decision === "allow-once"
@@ -288,7 +289,8 @@ function createExpiredContainer(params: {
   accountId: string;
 }): ExecApprovalContainer {
   const commandText = params.request.request.command;
-  const commandPreview = commandText.length > 500 ? `${commandText.slice(0, 500)}...` : commandText;
+  const commandRaw = commandText.length > 500 ? `${commandText.slice(0, 500)}...` : commandText;
+  const commandPreview = commandRaw.replace(/`/g, "\u200b`");
 
   return new ExecApprovalContainer({
     cfg: params.cfg,