test: add GUI manager coverage tests

[YASHcode-IIITV]

What does this PR do?

Adds and enables GUI module test coverage infrastructure for Issue #270.

Changes made

• Added test_gui_manager.cpp coverage tests.
• Fixed outdated include paths and API usage in GUI-related tests.
• Updated the amplitron-tests target to include required GUI sources.
• Added missing compile definitions required by GUI test builds (AMPLITRON_VERSION).
• Added Dear ImGui sources and GUI dependencies to the test target so GUI tests compile and link correctly on Windows.
• Verified successful build of amplitron-tests.exe.

Related Issue

Fixes #270

Type of Change

• ✅ Tests
• 🔧 Build / CI / Configuration

How Was This Tested?

• Platform(s) tested on: Windows 11
• Build system: CMake + Visual Studio Build Tools
• Test command run: .\Debug\amplitron-tests.exe

Results

• 290 tests passed

• 1 unrelated preset-loading test failed:

  • json_can_load_existing_factory_presets

Checklist

• Code compiles and builds successfully on my platform
• All existing tests pass (./amplitron-tests)
• New tests added for GUI coverage
• Documentation updated (not applicable)
• No blocking calls introduced on the audio thread
• Tested on: Windows 11

Screenshots / Demo

N/A (test and build infrastructure changes)

Summary by CodeRabbit

• Bug Fixes

  • Service worker now logs fetch failures and returns a clear 503 “Network error” response.

• Tests

  • Expanded end-to-end and unit test coverage for audio, GUI, update-checking and command-history flows; added headless/mock support to make CI and non-GUI testing deterministic.

[coderabbitai]

Looking for one thing? Review this PR in Change Stack to search files, summaries, diffs, and code without losing your place.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ee072137-8b75-4c23-9d31-598d8abaa40c

📥 Commits

Reviewing files that changed from the base of the PR and between 585e56e and 76295a4.

📒 Files selected for processing (1)

• tests/ui/test_gui_manager.cpp

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/ui/test_gui_manager.cpp

---

📝 Walkthrough

Walkthrough

Adds a new test header with shared AudioEngine helpers and unit tests; introduces headless dialog mocks and WindowContext headless flow with mock flags; centralizes PortAudio mocks via RAII; expands GuiManager tests with macro-based ImGui/update-checker mocks; and handles fetch rejections in service worker.

Changes

Tests, headless wiring, and mock infrastructure

Layer / File(s)	Summary
AudioEngine test helpers and unit tests src/audio/audio_engine.h	Shared AudioEngine accessor and clear helper; tests for GuiManager lifecycle/initialize behavior, CommandHistory undo/redo, version parsing/comparison, JSON field extractors, and end-to-end release-detection flows.
Headless dialog mock declarations and wiring src/gui/dialogs/file_dialog.h, src/gui/dialogs/file_dialog_native.cpp, src/gui/dialogs/file_dialog_native_folder.cpp, src/gui/dialogs/file_dialog_native_open.cpp	Adds AMPLITRON_HEADLESS extern mock-result strings and wires native headless dialog implementations to return configurable mock results.
WindowContext headless control flow and mocks src/gui/window_context.cpp	Adds headless-mode initialize/poll/begin/end no-op flows, mock flags to force initialize/poll failures, and compile-time guards to skip SDL/GL/ImGui setup/teardown in headless builds.
PortAudio test mocks and RAII helper tests/integration/test_audio_backend_portaudio.cpp	Centralizes PortAudio mock globals and adds MockGuard RAII to install default mock behavior for device enumeration and stream lifecycle; updates tests to use MockGuard.
GuiManager bootstrap and small lifecycle adjustments tests/ui/test_gui_manager.cpp	Exposes private/protected members for testing and adds explicit GuiManager::initialize() calls in basic lifecycle and double-shutdown tests.
Macro-based GUI mocks and comprehensive GUI tests tests/ui/test_gui_manager.cpp	Adds headless ImGui/GUI wrappers, MockGuiManager/MockUpdateChecker, includes GUI sources under mocks, and expands tests covering menus, per-frame behavior, update-check parsing, recorder/tuner branches, undo/redo, and UIComponent wiring.
Service worker fetch rejection handling web/coi-serviceworker.js	Adds fetch rejection handling to log errors and return a 503 plain-text response on network fetch failures; minor formatting adjustments.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• sudip-mondal-2002/Amplitron#112: GuiManager unit tests that exercise GuiManager::midi_manager() access, related to GuiManager tests here.
• sudip-mondal-2002/Amplitron#22: Adds CommandHistory/command implementations; related to the undo/redo CommandHistory tests added in this PR.

Suggested labels

GUI, quality:clean, type:devops

Suggested reviewers

• MohitBareja16
• sudip-mondal-2002

Poem

🐰 In headless labs where mocks abound I hop,

Tests compile, the green checks never stop.
Undo and redo, versions parsed just right,
Dialogs mocked and frames that run at night.
Hooray — the CI lights glow soft and bright.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test: add GUI manager coverage tests' accurately and concisely describes the primary change—adding test coverage for GUI manager modules to address poor test coverage issues.
Linked Issues check	✅ Passed	The PR adds comprehensive GUI manager test coverage through test_gui_manager.cpp and supporting headless testing infrastructure, directly addressing Issue #270's requirement to improve GUI module test coverage to 90%+.
Out of Scope Changes check	✅ Passed	Changes include headless-mode mocking infrastructure, file dialog mocks, window context headless support, and PortAudio test refactoring—all supporting the main objective of enabling GUI test coverage without being out-of-scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Infer (1.2.0)

tests/ui/test_gui_manager.cpp

tests/ui/test_gui_manager.cpp:8:10: fatal error: 'amplitron_session.h' file not found
8 | #include "amplitron_session.h"
| ^~~~~~~~~~~~~~~~~~~~~
1 error generated.
Error: the following clang command did not run successfully:
/opt/infer-linux-x86_64-v1.2.0/lib/infer/facebook-clang-plugins/clang/install/bin/clang-18
@/tmp/coderabbit-infer/76295a418734c325a4f4222d1140adef8e40480b-7f278e3aa656e45a/tmp/clang_command_.tmp.7e6f2f.txt
++Contents of '/tmp/coderabbit-infer/76295a418734c325a4f4222d1140adef8e40480b-7f278e3aa656e45a/tmp/clang_command_.tmp.7e6f2f.txt':
"-cc1" "-load"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../../facebook-clang-plugins/libtooling/build/FacebookClangPlugin.dylib"
"-add-plugin" "BiniouASTExporter" "-plugin-arg-BiniouASTExporter" "-"
"-plugin-arg-BiniouASTExporter" "PREPEND_CURRENT_DIR=1"
"-plugin-arg-BiniouASTExporter" "MAX_STRING_SIZE=65535" "-cc1" "-triple"
"x86_64-unknown-linux-gnu" "-emit-obj" "-mrela

... [truncated 1097 characters] ...

stall/lib/clang/18/include"
"-internal-isystem" "/usr/local/include" "-internal-isystem"
"/usr/lib/gcc/x86_64-linux-gnu/12/../../../../x86_64-linux-gnu/include"
"-internal-externc-isystem" "/usr/include/x86_64-linux-gnu"
"-internal-externc-isystem" "/include" "-internal-externc-isystem"
"/usr/include" "-Wno-ignored-optimization-argument" "-Wno-everything"
"-fdeprecated-macro" "-ferror-limit" "19" "-fgnuc-version=4.2.1"
"-fskip-odr-check-in-gmf" "-fcxx-exceptions" "-fexceptions"
"-D__GCC_HAVE_DWARF2_CFI_ASM=1" "-o"
"/tmp/coderabbit-infer/7f278e3aa656e45a/file.o" "-x" "c++"
"tests/ui/test_gui_manager.cpp" "-O0" "-fno-builtin" "-include"
"/opt/infer-linux-x86_64-v1.2.0/lib/infer/infer/bin/../lib/clang_wrappers/global_defines.h"
"-Wno-everything"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CMakeLists.txt (1)

526-527: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update comment to reflect GUI sources inclusion.

The comment states "Effect + core sources needed by tests (no GUI, no main)" but the CORE_SOURCES list now includes 21 GUI-related files (gui_manager, pedal_board, gui_snapshots, etc.) needed for the new GUI test coverage. The comment should be updated to accurately describe the expanded scope.

📝 Proposed comment update

-    # Effect + core sources needed by tests (no GUI, no main)
+    # Effect + core sources needed by tests (includes GUI components, no main)
     set(CORE_SOURCES

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CMakeLists.txt` around lines 526 - 527, Update the top comment that currently
reads "Effect + core sources needed by tests (no GUI, no main)" to reflect that
CORE_SOURCES now includes GUI-related files; mention that GUI sources are
included for expanded GUI test coverage and optionally cite examples such as
gui_manager, pedal_board, gui_snapshots to make the intent clear so readers know
GUI code is part of the test build.

🧹 Nitpick comments (3)

tests/test_gui_manager.cpp (3)

243-244: 💤 Low value

Inconsistent cleanup pattern across tests.

Several tests (e.g., lines 243-244, 255, 294) set specific gain values (0.7f, 0.8f) at the end, presumably to leave the shared_engine() in a known state. However, this pattern is applied inconsistently—many tests omit it entirely. If cleanup is necessary, apply it uniformly; if not, remove these statements to reduce noise.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_gui_manager.cpp` around lines 243 - 244, The test suite contains
inconsistent cleanup where some tests call engine.set_input_gain(0.7f) and
engine.set_output_gain(0.8f) on the shared_engine() while others do not; decide
on a single approach and make it consistent: either remove these trailing
set_input_gain/set_output_gain calls from all tests if they are unnecessary, or
add the same cleanup at the end of every test that mutates shared_engine() (use
shared_engine().set_input_gain(...) and shared_engine().set_output_gain(...) and
centralize into a helper like reset_shared_engine() if desired) so tests
uniformly restore engine state.

---

17-20: 💤 Low value

Consider test isolation implications of shared singleton.

The static AudioEngine instance creates implicit state sharing between tests. While clear_engine() is called appropriately, this pattern could cause issues if tests ever run in parallel or if cleanup is missed. For now, the sequential execution and careful cleanup make this workable, but consider using a fresh instance per test if isolation becomes a concern.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_gui_manager.cpp` around lines 17 - 20, The tests currently use a
process-wide static AudioEngine via shared_engine(), which creates implicit
state sharing between tests; to improve isolation, change tests to construct and
use a fresh AudioEngine instance per test (or return a unique_ptr from a
factory) instead of the static in shared_engine(), and update callers to call
the new per-test factory (or pass the instance explicitly) rather than relying
on shared_engine(); if retaining a helper, rename/replace shared_engine() to
make_new_engine() or make_unique_engine() and ensure clear_engine() is no longer
relied upon for cleanup.

---

320-349: ⚖️ Poor tradeoff

Version parsing logic duplication is acknowledged but creates maintenance debt.

The comments (lines 311-317) correctly note that parse_version and is_version_newer are duplicated from gui_manager_update.cpp because the originals are local lambdas. While this duplication is currently necessary for testing, any future changes to the source must be manually mirrored here, creating maintenance risk.

Consider extracting the version parsing and comparison logic to a separate utility header (e.g., version_utils.h) that both the production code and tests can include directly. This would eliminate duplication and ensure test coverage automatically tracks implementation changes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_gui_manager.cpp` around lines 320 - 349, The parse_version and
is_version_newer functions duplicated in tests/test_gui_manager.cpp should be
moved into a shared utility header (e.g., version_utils.h) and used from both
the production file (gui_manager_update.cpp) and the test file to remove
maintenance duplication; create version_utils.h with the parse_version and
is_version_newer declarations/implementations, update gui_manager_update.cpp to
use those functions instead of its local lambdas, and replace the copies in
tests/test_gui_manager.cpp to include and call parse_version/is_version_newer
from the new header.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@CMakeLists.txt`:
- Around line 526-527: Update the top comment that currently reads "Effect +
core sources needed by tests (no GUI, no main)" to reflect that CORE_SOURCES now
includes GUI-related files; mention that GUI sources are included for expanded
GUI test coverage and optionally cite examples such as gui_manager, pedal_board,
gui_snapshots to make the intent clear so readers know GUI code is part of the
test build.

---

Nitpick comments:
In `@tests/test_gui_manager.cpp`:
- Around line 243-244: The test suite contains inconsistent cleanup where some
tests call engine.set_input_gain(0.7f) and engine.set_output_gain(0.8f) on the
shared_engine() while others do not; decide on a single approach and make it
consistent: either remove these trailing set_input_gain/set_output_gain calls
from all tests if they are unnecessary, or add the same cleanup at the end of
every test that mutates shared_engine() (use shared_engine().set_input_gain(...)
and shared_engine().set_output_gain(...) and centralize into a helper like
reset_shared_engine() if desired) so tests uniformly restore engine state.
- Around line 17-20: The tests currently use a process-wide static AudioEngine
via shared_engine(), which creates implicit state sharing between tests; to
improve isolation, change tests to construct and use a fresh AudioEngine
instance per test (or return a unique_ptr from a factory) instead of the static
in shared_engine(), and update callers to call the new per-test factory (or pass
the instance explicitly) rather than relying on shared_engine(); if retaining a
helper, rename/replace shared_engine() to make_new_engine() or
make_unique_engine() and ensure clear_engine() is no longer relied upon for
cleanup.
- Around line 320-349: The parse_version and is_version_newer functions
duplicated in tests/test_gui_manager.cpp should be moved into a shared utility
header (e.g., version_utils.h) and used from both the production file
(gui_manager_update.cpp) and the test file to remove maintenance duplication;
create version_utils.h with the parse_version and is_version_newer
declarations/implementations, update gui_manager_update.cpp to use those
functions instead of its local lambdas, and replace the copies in
tests/test_gui_manager.cpp to include and call parse_version/is_version_newer
from the new header.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f8d75c92-4f6a-49d2-b708-611dd3fff316

📥 Commits

Reviewing files that changed from the base of the PR and between 837ba12 and 4a21b02.

📒 Files selected for processing (2)

• CMakeLists.txt
• tests/test_gui_manager.cpp

[github-actions]

🌍 Cross-Platform Coverage Report

Platforms: Linux + macOS + Windows
Merged Line Coverage: 78.1%

✅ Coverage meets threshold: 78.1% >= 60%

Full Merged Coverage Summary

Summary coverage rate:
  lines......: 78.1% (8528 of 10925 lines)
  functions..: 92.3% (837 of 907 functions)
  branches...: no data found

[github-actions]

PR Preview Ready

Preview URL: https://amplitron.sudipmondal.co.in/pr-previews/pr-305/
Coverage Report: https://amplitron.sudipmondal.co.in/pr-previews/pr-305/test-coverage/

Built from commit bd3f698 and deployed to pr-previews/pr-305.
This preview updates automatically when the PR branch changes and is removed when the PR closes.

[sudip-mondal-2002]

@YASHcode-IIITV lmk when complete

A huge part is missing test coverage for GUI module

[sudip-mondal-2002]

Tests must go to test folder
and coverage is not enough

[sudip-mondal-2002]

@YASHcode-IIITV are you still working on it?

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/audio/audio_engine.h`:
- Around line 14-15: The production header currently includes test_framework.h
and contains TEST(...) blocks (test registration) which must be removed from the
header; move the include of test_framework.h and all TEST(...) blocks (and any
test helper functions) into a new test-only translation unit (e.g.,
audio_engine_test.cpp) that `#includes` the original audio_engine.h, leaving
audio_engine.h with only production declarations/definitions and no test
symbols; update build files to compile the new test TU only in test targets and
delete the test include/TEST blocks from the header.

In `@src/gui/dialogs/file_dialog_native.cpp`:
- Around line 90-97: The code builds shell command strings (cmd) using unescaped
user-controlled variables (default_name, filter_desc, filter_ext) and passes
them to popen(), allowing shell injection; replace this by invoking
/usr/bin/osascript (or the AppleScript API) without a shell: construct an argv
array with program "/usr/bin/osascript" and separate "-e" arguments (one per
script fragment) and call posix_spawn/execvp (or use NSTask/NSAppleScript on
macOS) so arguments are passed directly rather than concatenated into a shell
command; update the code paths that build cmd in file_dialog_native.cpp (the
blocks that create the "choose file name" and related osascript commands) to
stop using popen(cmd.c_str(), "r") with interpolated strings and instead spawn
the process with safe argv passing or use native Cocoa APIs to present the
save/open dialogs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ee1191f-114b-433a-8073-b28104da8dee

📥 Commits

Reviewing files that changed from the base of the PR and between 247380a and 585e56e.

📒 Files selected for processing (9)

• src/audio/audio_engine.h
• src/gui/dialogs/file_dialog.h
• src/gui/dialogs/file_dialog_native.cpp
• src/gui/dialogs/file_dialog_native_folder.cpp
• src/gui/dialogs/file_dialog_native_open.cpp
• src/gui/window_context.cpp
• tests/integration/test_audio_backend_portaudio.cpp
• tests/ui/test_gui_manager.cpp
• web/coi-serviceworker.js

💤 Files with no reviewable changes (4)

• web/coi-serviceworker.js
• src/gui/window_context.cpp
• tests/ui/test_gui_manager.cpp
• tests/integration/test_audio_backend_portaudio.cpp

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/audio/audio_engine.h`:
- Around line 14-15: The production header currently includes test_framework.h
and contains TEST(...) blocks (test registration) which must be removed from the
header; move the include of test_framework.h and all TEST(...) blocks (and any
test helper functions) into a new test-only translation unit (e.g.,
audio_engine_test.cpp) that `#includes` the original audio_engine.h, leaving
audio_engine.h with only production declarations/definitions and no test
symbols; update build files to compile the new test TU only in test targets and
delete the test include/TEST blocks from the header.

In `@src/gui/dialogs/file_dialog_native.cpp`:
- Around line 90-97: The code builds shell command strings (cmd) using unescaped
user-controlled variables (default_name, filter_desc, filter_ext) and passes
them to popen(), allowing shell injection; replace this by invoking
/usr/bin/osascript (or the AppleScript API) without a shell: construct an argv
array with program "/usr/bin/osascript" and separate "-e" arguments (one per
script fragment) and call posix_spawn/execvp (or use NSTask/NSAppleScript on
macOS) so arguments are passed directly rather than concatenated into a shell
command; update the code paths that build cmd in file_dialog_native.cpp (the
blocks that create the "choose file name" and related osascript commands) to
stop using popen(cmd.c_str(), "r") with interpolated strings and instead spawn
the process with safe argv passing or use native Cocoa APIs to present the
save/open dialogs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ee1191f-114b-433a-8073-b28104da8dee

📥 Commits

Reviewing files that changed from the base of the PR and between 247380a and 585e56e.

📒 Files selected for processing (9)

• src/audio/audio_engine.h
• src/gui/dialogs/file_dialog.h
• src/gui/dialogs/file_dialog_native.cpp
• src/gui/dialogs/file_dialog_native_folder.cpp
• src/gui/dialogs/file_dialog_native_open.cpp
• src/gui/window_context.cpp
• tests/integration/test_audio_backend_portaudio.cpp
• tests/ui/test_gui_manager.cpp
• web/coi-serviceworker.js

💤 Files with no reviewable changes (4)

• web/coi-serviceworker.js
• src/gui/window_context.cpp
• tests/ui/test_gui_manager.cpp
• tests/integration/test_audio_backend_portaudio.cpp

🛑 Comments failed to post (2)

src/audio/audio_engine.h (1)

14-15: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Move this test suite out of src/audio/audio_engine.h into a test-only translation unit.

Line 14 and the TEST(...) blocks (Line 36 onward) put test framework dependencies and test registration code in a production header path. This risks leaking test symbols/includes into non-test builds and creates fragile include/build contracts.

Also applies to: 36-385

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/audio/audio_engine.h` around lines 14 - 15, The production header
currently includes test_framework.h and contains TEST(...) blocks (test
registration) which must be removed from the header; move the include of
test_framework.h and all TEST(...) blocks (and any test helper functions) into a
new test-only translation unit (e.g., audio_engine_test.cpp) that `#includes` the
original audio_engine.h, leaving audio_engine.h with only production
declarations/definitions and no test symbols; update build files to compile the
new test TU only in test targets and delete the test include/TEST blocks from
the header.

src/gui/dialogs/file_dialog_native.cpp (1)

90-97: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Eliminate shell command injection in save-dialog command construction.

At Line 90 and Line 124, popen() executes shell commands built from function parameters (default_name, filter_desc, filter_ext) without escaping. A crafted value containing quotes/shell operators can break out of the intended argument and execute arbitrary commands.

Suggested fix direction

- FILE* pipe = popen(cmd.c_str(), "r");
+ // Avoid shell interpolation; use fork/exec (as in other dialog paths)
+ // and pass arguments as discrete argv entries, or strictly escape every
+ // interpolated token before constructing shell command strings.

Also applies to: 124-133, 147-149

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/gui/dialogs/file_dialog_native.cpp` around lines 90 - 97, The code builds
shell command strings (cmd) using unescaped user-controlled variables
(default_name, filter_desc, filter_ext) and passes them to popen(), allowing
shell injection; replace this by invoking /usr/bin/osascript (or the AppleScript
API) without a shell: construct an argv array with program "/usr/bin/osascript"
and separate "-e" arguments (one per script fragment) and call
posix_spawn/execvp (or use NSTask/NSAppleScript on macOS) so arguments are
passed directly rather than concatenated into a shell command; update the code
paths that build cmd in file_dialog_native.cpp (the blocks that create the
"choose file name" and related osascript commands) to stop using
popen(cmd.c_str(), "r") with interpolated strings and instead spawn the process
with safe argv passing or use native Cocoa APIs to present the save/open
dialogs.