From 6b5f7ae8185b74e46adb3a8de5738cc945d20c4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Alejandro=20Marug=C3=A1n?=
 <hello@ialejandro.rocks>
Date: Sun, 15 Feb 2026 16:35:22 +0100
Subject: [PATCH 1/2] fix: Unvalidated dynamic method call
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks>
---
 src/lib/terminal/simulator.ts | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/lib/terminal/simulator.ts b/src/lib/terminal/simulator.ts
index 85fe340..1c01b8c 100644
--- a/src/lib/terminal/simulator.ts
+++ b/src/lib/terminal/simulator.ts
@@ -22,6 +22,9 @@ export function executeCommand(
 
   const trimmedCommand = command.trim();
 
+  // Selected handler to execute after validation
+  let handlerToExecute: ((code: string) => TerminalResponse) | undefined;
+
   // Check for exact match first (ensure own property and handler is a function)
   const exactHandler = Object.prototype.hasOwnProperty.call(
     exercise.terminalCommands,
@@ -31,17 +34,22 @@ export function executeCommand(
     : undefined;
 
   if (typeof exactHandler === "function") {
-    return exactHandler(currentCode);
+    handlerToExecute = exactHandler;
+  } else {
+    // Check for command prefix match (e.g., "kubectl logs <pod-name>" matches "kubectl logs")
+    for (const [pattern, handler] of Object.entries(exercise.terminalCommands)) {
+      if (typeof handler !== "function") {
+        continue;
+      }
+      if (trimmedCommand.startsWith(pattern) || pattern.startsWith(trimmedCommand)) {
+        handlerToExecute = handler;
+        break;
+      }
+    }
   }
 
-  // Check for command prefix match (e.g., "kubectl logs <pod-name>" matches "kubectl logs")
-  for (const [pattern, handler] of Object.entries(exercise.terminalCommands)) {
-    if (typeof handler !== "function") {
-      continue;
-    }
-    if (trimmedCommand.startsWith(pattern) || pattern.startsWith(trimmedCommand)) {
-      return handler(currentCode);
-    }
+  if (handlerToExecute) {
+    return handlerToExecute(currentCode);
   }
 
   // Built-in commands

From 0935bfbfc2fb29024f6dbda20750da9662eb66f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Alejandro=20Marug=C3=A1n?=
 <hello@ialejandro.rocks>
Date: Sun, 15 Feb 2026 16:39:28 +0100
Subject: [PATCH 2/2] ci: Remove permissions from lint-test workflow (#22)

---
 .github/workflows/lint-test.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml
index e9cfa34..ed5d6d7 100644
--- a/.github/workflows/lint-test.yml
+++ b/.github/workflows/lint-test.yml
@@ -7,9 +7,6 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
-
 jobs:
   lint:
     name: Lint (Node ${{ matrix.node-version }})