Timmy_Foundation/the-nexus
15
1
Fork 2
Code Issues 80 Pull Requests 77 Actions Packages Projects Releases Wiki Activity

fix: #1430 - Prevent shell injection in commit messages
Some checks failed
CI / test (pull_request) Failing after 1m11s
Details
CI / validate (pull_request) Failing after 1m5s
Details
Review Approval Gate / verify-review (pull_request) Successful in 11s
Details

Browse Source 
- Add safe_commit.py tool for safe commit message handling
- Add commit-msg hook to warn about dangerous patterns
- Add documentation for safe commit practices
- Prevent shell injection from backticks and other special chars

Addresses issue #1430: [IMPROVEMENT] memory_mine.py ran during git commit

Problem: Commit messages containing backticks can trigger shell execution.
Solution: Use git commit -F <file> or escape special characters.

Tools added:
- bin/safe_commit.py: Safe commit tool with escaping and file-based commits
- .githooks/commit-msg: Hook to warn about dangerous patterns
- docs/safe-commit-practices.md: Documentation for safe commit practices

Example safe usage:
  python3 bin/safe_commit.py -m "Message with backticks: \`code\`"
  git commit -F <file>  # Safest method
  git commit -m "Message with escaped backticks: \`code\`"

This prevents unintended code execution during git operations.
This commit is contained in:
Alexander Whitestone
2026-04-15 00:50:54 -04:00
parent c63d56dfb7
commit ee1c7ab279
3 changed files with 515 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
.githooks/commit-msg Normal file
View File

@@ -0,0 +1,49 @@
#!/usr/bin/env bash
# Commit-msg hook: warn about shell injection risks
# Install: cp .githooks/commit-msg .git/hooks/commit-msg && chmod +x .git/hooks/commit-msg
COMMIT_MSG_FILE="$1"
COMMIT_MSG=$(cat "$COMMIT_MSG_FILE")
# Check for dangerous patterns
DANGEROUS_PATTERNS=(
'`' # Backticks
'$(' # Command substitution
'${' # Variable expansion
'\\`' # Escaped backticks
'eval ' # eval command
'exec ' # exec command
'source ' # source command
'|' # Pipe
'&&' # AND operator
'||' # OR operator
';' # Semicolon
'>' # Redirect
'<' # Input redirect
)
FOUND_ISSUES=()
for pattern in "${DANGEROUS_PATTERNS[@]}"; do
if echo "$COMMIT_MSG" | grep -q "$pattern"; then
FOUND_ISSUES+=("$pattern")
fi
done
if [ ${#FOUND_ISSUES[@]} -gt 0 ]; then
echo "⚠️ WARNING: Commit message contains potentially dangerous patterns:"
for issue in "${FOUND_ISSUES[@]}"; do
echo " - $issue"
done
echo ""
echo "This could trigger shell execution during git operations."
echo ""
echo "Safe alternatives:"
echo " 1. Use: git commit -F <file> instead of git commit -m"
echo " 2. Escape special characters in commit messages"
echo " 3. Use the safe_commit() function from bin/safe_commit.py"
echo ""
echo "To proceed anyway, use: git commit --no-verify"
exit 1
fi
exit 0