git: Add trusted worktree support to git integrations #50649
Merged
Anthony-Eid merged 5 commits intomainfrom Mar 4, 2026
Merged
git: Add trusted worktree support to git integrations #50649Anthony-Eid merged 5 commits intomainfrom
Anthony-Eid merged 5 commits intomainfrom
Conversation
Contributor
Author
|
/cherry-pick preview |
Contributor
|
🍒💥 Cherry-pick did not succeed |
Anthony-Eid
added a commit
that referenced
this pull request
Mar 4, 2026
This PR cleans up the git command spawning by wrapping everything in GitBinary instead to follow a builder/factory pattern. It also extends trusted workspace support to git commands. I also added a `clippy.toml` configuration to our git crate that warns against using `Command` struct to spawn git commands instead of going through `GitBinary`. This should help us maintain the factory pattern in the future Before you mark this PR as ready for review, make sure that you have: - [x] Added solid test coverage and/or screenshots from doing manual testing - [x] Done a self-review taking into account security and performance aspects Release Notes: - git: Add trusted workspace support for Zed's git integration
Anthony-Eid
added a commit
that referenced
this pull request
Mar 4, 2026
This reverts commit 50c4005. Will cherry pick to stable in a couple of days.
3 tasks
Anthony-Eid
added a commit
that referenced
this pull request
Mar 4, 2026
follow up on: #50649 When committing in a restrictive workspace we avoid running git hooks instead of failing the commit because hooks aren't allowed. I also passed in more git cli hardening configurations to use when Zed spawns git commands Before you mark this PR as ready for review, make sure that you have: - [ ] Added a solid test coverage and/or screenshots from doing manual testing - [x] Done a self-review taking into account security and performance aspects - [ ] Aligned any UI changes with the [UI checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) Release Notes: - N/A
wzulfikar
pushed a commit
to wzulfikar/zed
that referenced
this pull request
Mar 4, 2026
…#50649) This PR cleans up the git command spawning by wrapping everything in GitBinary instead to follow a builder/factory pattern. It also extends trusted workspace support to git commands. I also added a `clippy.toml` configuration to our git crate that warns against using `Command` struct to spawn git commands instead of going through `GitBinary`. This should help us maintain the factory pattern in the future Before you mark this PR as ready for review, make sure that you have: - [x] Added solid test coverage and/or screenshots from doing manual testing - [x] Done a self-review taking into account security and performance aspects Release Notes: - git: Add trusted workspace support for Zed's git integration
This was referenced Mar 4, 2026
3 tasks
Anthony-Eid
pushed a commit
that referenced
this pull request
Mar 13, 2026
…ternal diff (#51323) When on a untrusted project, if one was to try and use the commit generation functionality, the command would fail because of the `-c diff.external` configuration provided in `GitBinary::build_command`, as git would interpret this as `""` and try to run that command. This `-c diff.external` is a good safeguard to have on untrusted repositories because it prevents random commands, configured in `.git/config` from being run. For example, if one uses `git config diff.external "touch bananas.txt"` and then run `git diff`, a new `bananas.txt` file would be created. However, it was still possible to bypass this safeguard using the following strategy: 1. Specify a custom diff for a specific file format. For example, for markdown files, with `printf '*.md diff=pwned\n' > .gitattributes` 2. Update the command run by the `pwned` diff, for example, `git config diff.pwned.command "touch bananas.txt"` 3. Open Zed and attempt to generate a commit message in an untrusted repository and check that a new `bananas.txt` file was created This is only prevented by using the `--no-ext-diff` flag on the `diff` command, so a new `GitBinary::build_diff_command` has been introduced which simply wraps `GitBinary::build_command` and adds the `--no-ext-diff` flag, if necessary. As a side-effect, this also makes it so that generating a commit message in an untrusted repository works again, which was accidentally broken on #50649 . Before you mark this PR as ready for review, make sure that you have: - [X] Added a solid test coverage and/or screenshots from doing manual testing - [X] Done a self-review taking into account security and performance aspects - [X] Aligned any UI changes with the [UI checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) Release Notes: - Fixed commit message generation in untrusted repositories
github-actions bot
pushed a commit
that referenced
this pull request
Mar 13, 2026
…ternal diff (#51323) When on a untrusted project, if one was to try and use the commit generation functionality, the command would fail because of the `-c diff.external` configuration provided in `GitBinary::build_command`, as git would interpret this as `""` and try to run that command. This `-c diff.external` is a good safeguard to have on untrusted repositories because it prevents random commands, configured in `.git/config` from being run. For example, if one uses `git config diff.external "touch bananas.txt"` and then run `git diff`, a new `bananas.txt` file would be created. However, it was still possible to bypass this safeguard using the following strategy: 1. Specify a custom diff for a specific file format. For example, for markdown files, with `printf '*.md diff=pwned\n' > .gitattributes` 2. Update the command run by the `pwned` diff, for example, `git config diff.pwned.command "touch bananas.txt"` 3. Open Zed and attempt to generate a commit message in an untrusted repository and check that a new `bananas.txt` file was created This is only prevented by using the `--no-ext-diff` flag on the `diff` command, so a new `GitBinary::build_diff_command` has been introduced which simply wraps `GitBinary::build_command` and adds the `--no-ext-diff` flag, if necessary. As a side-effect, this also makes it so that generating a commit message in an untrusted repository works again, which was accidentally broken on #50649 . Before you mark this PR as ready for review, make sure that you have: - [X] Added a solid test coverage and/or screenshots from doing manual testing - [X] Done a self-review taking into account security and performance aspects - [X] Aligned any UI changes with the [UI checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) Release Notes: - Fixed commit message generation in untrusted repositories
3 tasks
zed-zippy bot
added a commit
that referenced
this pull request
Mar 13, 2026
…ternal diff (#51323) (cherry-pick to preview) (#51492) Cherry-pick of #51323 to preview ---- When on a untrusted project, if one was to try and use the commit generation functionality, the command would fail because of the `-c diff.external` configuration provided in `GitBinary::build_command`, as git would interpret this as `""` and try to run that command. This `-c diff.external` is a good safeguard to have on untrusted repositories because it prevents random commands, configured in `.git/config` from being run. For example, if one uses `git config diff.external "touch bananas.txt"` and then run `git diff`, a new `bananas.txt` file would be created. However, it was still possible to bypass this safeguard using the following strategy: 1. Specify a custom diff for a specific file format. For example, for markdown files, with `printf '*.md diff=pwned\n' > .gitattributes` 2. Update the command run by the `pwned` diff, for example, `git config diff.pwned.command "touch bananas.txt"` 3. Open Zed and attempt to generate a commit message in an untrusted repository and check that a new `bananas.txt` file was created This is only prevented by using the `--no-ext-diff` flag on the `diff` command, so a new `GitBinary::build_diff_command` has been introduced which simply wraps `GitBinary::build_command` and adds the `--no-ext-diff` flag, if necessary. As a side-effect, this also makes it so that generating a commit message in an untrusted repository works again, which was accidentally broken on #50649 . Before you mark this PR as ready for review, make sure that you have: - [X] Added a solid test coverage and/or screenshots from doing manual testing - [X] Done a self-review taking into account security and performance aspects - [X] Aligned any UI changes with the [UI checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) Release Notes: - Fixed commit message generation in untrusted repositories Co-authored-by: Dino <dinojoaocosta@gmail.com>
tommyming
pushed a commit
to tommyming/zed
that referenced
this pull request
Mar 15, 2026
…ternal diff (zed-industries#51323) When on a untrusted project, if one was to try and use the commit generation functionality, the command would fail because of the `-c diff.external` configuration provided in `GitBinary::build_command`, as git would interpret this as `""` and try to run that command. This `-c diff.external` is a good safeguard to have on untrusted repositories because it prevents random commands, configured in `.git/config` from being run. For example, if one uses `git config diff.external "touch bananas.txt"` and then run `git diff`, a new `bananas.txt` file would be created. However, it was still possible to bypass this safeguard using the following strategy: 1. Specify a custom diff for a specific file format. For example, for markdown files, with `printf '*.md diff=pwned\n' > .gitattributes` 2. Update the command run by the `pwned` diff, for example, `git config diff.pwned.command "touch bananas.txt"` 3. Open Zed and attempt to generate a commit message in an untrusted repository and check that a new `bananas.txt` file was created This is only prevented by using the `--no-ext-diff` flag on the `diff` command, so a new `GitBinary::build_diff_command` has been introduced which simply wraps `GitBinary::build_command` and adds the `--no-ext-diff` flag, if necessary. As a side-effect, this also makes it so that generating a commit message in an untrusted repository works again, which was accidentally broken on zed-industries#50649 . Before you mark this PR as ready for review, make sure that you have: - [X] Added a solid test coverage and/or screenshots from doing manual testing - [X] Done a self-review taking into account security and performance aspects - [X] Aligned any UI changes with the [UI checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) Release Notes: - Fixed commit message generation in untrusted repositories
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR cleans up the git command spawning by wrapping everything in GitBinary instead to follow a builder/factory pattern. It also extends trusted workspace support to git commands.
I also added a
clippy.tomlconfiguration to our git crate that warns against usingCommandstruct to spawn git commands instead of going throughGitBinary. This should help us maintain the factory pattern in the futureBefore you mark this PR as ready for review, make sure that you have:
Release Notes: