Skip to content

Harden internal Git command execution to prevent shell injection #216

New issue
New issue
Closed
Bug
#217
Closed
Harden internal Git command execution to prevent shell injection#216
Bug
#217
Assignees
pomek
Labels
squad:platformIssue to be handled by the Platform team.type:bug
Milestone
iteration 96
@pomek

Description

@pomek
pomek
opened on Feb 23, 2026

📝 Provide detailed reproduction steps (if any)

  1. Execute an internal command with shell-like payload in arguments, for example: 
    const diff = require('./lib/commands/diff.js').default;
diff.execute({
  arguments: [ 'test; touch HACKED; #' ],
  toolOptions: { packages: '' },
  repository: { directory: '' }
});
  2. Observe whether payload fragments are interpreted by the shell.

✔️ Expected result

Internal mrgit commands treat user-provided arguments as literal Git arguments and do not execute shell fragments.

❌ Actual result

Historically, several internal commands built shell command strings and could execute injected shell fragments.

❓ Possible solution

Introduce a safe internal Git runner using argument vectors (spawn with shell: false) and migrate vulnerable commands (diff, push, checkout, close, commit, sync) to use it. Keep mrgit exec shell-powered by design and document it as trusted-input only.

Definition of done

  • Internal Git execution path does not use shell interpolation for affected commands.
  • Regression tests cover shell-like payloads for affected command arguments.
  • pnpm lint passes.
  • pnpm test passes.
  • Changelog entry added.

References

Metadata

Metadata

Assignees

Labels

squad:platformIssue to be handled by the Platform team.type:bug

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions