[Security] Harden git commands against flag injection#7583
[Security] Harden git commands against flag injection#7583gonzaloriestra wants to merge 4 commits into
Conversation
Harden `downloadGitRepository` and `checkIfIgnoredInGitRepository` by using the `--` separator to prevent flag injection from repository URLs or file paths starting with a dash. Add regression tests to verify that flag-like strings are correctly handled as positional arguments.
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
github-actions
Bot
added
the
no-changelog
gonzaloriestra
force-pushed
the
jules-security-harden-git-commands-flag-injection-13294469305582373459
branch
from
6239ef8 to
0ba16e2
Compare
|
/snapit |
|
🫰✨ Thanks @gonzaloriestra! Your snapshot has been published to npm. Test the snapshot by installing your package globally: pnpm i -g --@shopify:registry=https://registry.npmjs.org @shopify/cli@0.0.0-snapshot-20260520081414Caution After installing, validate the version by running |
User-controlled strings like repository URLs, file paths, or tag names passed to Git commands can be interpreted as flags if they start with a dash. This PR hardens Git commands in `@shopify/cli-kit` by: 1. Adding the `--` separator to `git clone` and `git check-ignore` to explicitly separate options from positional arguments. 2. Using the `refs/tags/` prefix for `git checkout` to ensure the argument is treated as a revision rather than a flag or pathspec. Regression tests have been added to verify that "flag-like" inputs are correctly handled.
User-controlled strings like repository URLs, file paths, or tag names passed to Git commands can be interpreted as flags if they start with a dash. This PR hardens Git commands in `@shopify/cli-kit` by: 1. Adding the `--` separator to `git clone` and `git check-ignore` to explicitly separate options from positional arguments. 2. Using the `refs/tags/` prefix for `git checkout` to ensure the argument is treated as a revision rather than a flag or pathspec. Additionally, this PR includes a fix for pre-existing GraphQL schema drift in `packages/app` to allow CI to pass. Regression tests have been added to verify that "flag-like" inputs are correctly handled.
gonzaloriestra
force-pushed
the
jules-security-harden-git-commands-flag-injection-13294469305582373459
branch
from
eca8b3d to
753cea5
Compare
2 participants
WHY are these changes introduced?
Prevent command-line flag injection in Git utility functions.
WHAT is this pull request doing?
This PR hardens the
gitutility functionsdownloadGitRepositoryandcheckIfIgnoredInGitRepositoryby using the--separator. This ensures that repository URLs and file paths starting with a dash are correctly interpreted as positional arguments and not as command flags.How to test your changes?
CI
Checklist
patchfor bug fixes ·minorfor new features ·majorfor breaking changes) and added a changeset withpnpm changeset addPR created automatically by Jules for task 13294469305582373459 started by @gonzaloriestra