Timmy_Foundation/the-nexus
15
1
Fork 2
Code Issues 77 Pull Requests 82 Actions Packages Projects Releases Wiki Activity
Files
761ad313c73b7cbc7ef6256f7f22a253b3d3bcb5
the-nexus/docs/SAFE_COMMIT_PATTERNS.md
Timmy 761ad313c7
Some checks failed
CI / test (pull_request) Failing after 47s
Details
CI / validate (pull_request) Failing after 40s
Details
Review Approval Gate / verify-review (pull_request) Failing after 5s
Details
fix(#1430): Prevent shell injection from commit messages 
Backticks in git commit -m messages can trigger shell expansion
during hook processing. This adds:

  - .githooks/pre-commit: warns when commit message contains
    backticks (reads COMMIT_EDITMSG, warns but does not block)
  - scripts/safe-commit.sh: safe commit wrapper using -F <file>
    instead of -m (prevents all shell expansion)
  - docs/SAFE_COMMIT_PATTERNS.md: documents safe patterns and
    what NOT to do

The repo hooks (pre-commit, stale-pr-closer) are already clean.
This is preventive hardening + documentation.

Fixes #1430
2026-04-17 01:28:44 -04:00

70 lines
1.7 KiB
Markdown
Raw Blame History

# Safe Commit Patterns
## Issue #1430
Backticks in `git commit -m` messages can trigger shell substitution
during hook processing. A commit message containing:
```
git commit -m "fix: update `connectMemPalace()` to use Fleet API"
```
may cause the shell to attempt executing `connectMemPalace()`.
## Safe Patterns
### 1. Use safe-commit.sh (recommended)
```bash
./scripts/safe-commit.sh "fix: update connectMemPalace() to use Fleet API"
```
This writes the message to a temp file and uses `git commit -F`,
which prevents shell expansion.
### 2. Use git commit -F directly
```bash
echo "fix: update \`connectMemPalace()\` to use Fleet API" > /tmp/msg.txt
git commit -F /tmp/msg.txt
```
### 3. Use single quotes (less reliable with hooks)
```bash
git commit -m 'fix: update `connectMemPalace()` to use Fleet API'
```
Single quotes prevent shell expansion in the commit command itself,
but hooks that read the message may still process backticks.
### 4. Use heredoc for multiline
```bash
git commit -F - <<'EOF'
fix: update `connectMemPalace()` to use Fleet API
The mock MCP server was overwriting the real Fleet API version.
EOF
```
## What NOT to do
```bash
# BAD — backticks trigger shell expansion
git commit -m "fix: update `connectMemPalace()` to use Fleet API"
# BAD — $(...) triggers command substitution
git commit -m "fix: update $(cat file.py) to use Fleet API"
# BAD — ! triggers history expansion
git commit -m "fix: this is not a joke! seriously"
```
## For agents
When committing code that contains backticks or special characters:
1. Always use `git commit -F <file>` or `safe-commit.sh`
2. Never interpolate user content into `-m` strings
3. Escape or remove backticks from commit messages when possible
Reference in New Issue View Git Blame Copy Permalink