Skip to content

Fix command injection vulnerability in branch setup#736

Merged
bogini merged 2 commits into
mainfrom
claude/fix-command-injection-01QzjX7e3Yz6iKMrNrAWaxuJ
Dec 12, 2025
Merged

Fix command injection vulnerability in branch setup#736
bogini merged 2 commits into
mainfrom
claude/fix-command-injection-01QzjX7e3Yz6iKMrNrAWaxuJ

Conversation

@bogini

@bogini bogini commented Dec 12, 2025

Copy link
Copy Markdown
Contributor

Replace Bun shell template literals with Node.js execFileSync to prevent command injection attacks via malicious branch names. Branch names from PR data (headRefName) are now validated against a strict whitelist pattern before use in git commands.

Changes:

  • Add validateBranchName() function with strict character whitelist
  • Replace $git ... shell templates with execGit() using execFileSync
  • Validate all branch names before use in git operations

Replace Bun shell template literals with Node.js execFileSync to prevent
command injection attacks via malicious branch names. Branch names from
PR data (headRefName) are now validated against a strict whitelist pattern
before use in git commands.

Changes:
- Add validateBranchName() function with strict character whitelist
- Replace $`git ...` shell templates with execGit() using execFileSync
- Validate all branch names before use in git operations
ashwin-ant
ashwin-ant previously approved these changes Dec 12, 2025
Comment thread src/github/operations/branch.ts
Comment thread src/github/operations/branch.ts
Comment thread src/github/operations/branch.ts
Comment thread src/github/operations/branch.ts Outdated
- Enhanced execGit JSDoc to explain security benefits of execFileSync
- Added comprehensive branch name validation:
  - Leading dash check (prevents option injection)
  - Control characters and special git characters (~^:?*[\])
  - Leading/trailing period checks
  - Trailing slash and consecutive slash checks
- Added -- separator to git checkout commands
- Added 30 unit tests for validateBranchName covering:
  - Valid branch names
  - Command injection attempts
  - Option injection attempts
  - Path traversal attempts
  - Git-specific invalid patterns
  - Control characters and edge cases

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants