761ad313c7
Backticks in git commit -m messages can trigger shell expansion
during hook processing. This adds:
- .githooks/pre-commit: warns when commit message contains
backticks (reads COMMIT_EDITMSG, warns but does not block)
- scripts/safe-commit.sh: safe commit wrapper using -F <file>
instead of -m (prevents all shell expansion)
- docs/SAFE_COMMIT_PATTERNS.md: documents safe patterns and
what NOT to do
The repo hooks (pre-commit, stale-pr-closer) are already clean.
This is preventive hardening + documentation.
Fixes #1430
42 lines
1.5 KiB
Bash
Executable File
42 lines
1.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# ═══════════════════════════════════════════════════════════════
|
|
# safe-commit.sh — Commit with message from file (prevents shell injection)
|
|
#
|
|
# Issue #1430: Backticks in commit messages can trigger shell
|
|
# substitution during git hook processing. Using -F <file> instead
|
|
# of -m prevents this.
|
|
#
|
|
# Usage:
|
|
# ./scripts/safe-commit.sh "my commit message"
|
|
# ./scripts/safe-commit.sh -F message.txt
|
|
# echo "message" | ./scripts/safe-commit.sh --stdin
|
|
# ═══════════════════════════════════════════════════════════════
|
|
set -euo pipefail
|
|
|
|
TMPFILE=$(mktemp /tmp/commit-msg-XXXXXX)
|
|
trap "rm -f $TMPFILE" EXIT
|
|
|
|
if [ "${1:-}" = "-F" ] && [ -n "${2:-}" ]; then
|
|
# Use provided file
|
|
cp "$2" "$TMPFILE"
|
|
elif [ "${1:-}" = "--stdin" ]; then
|
|
# Read from stdin
|
|
cat > "$TMPFILE"
|
|
elif [ -n "${1:-}" ]; then
|
|
# Write argument to temp file (no shell expansion)
|
|
printf '%s' "$1" > "$TMPFILE"
|
|
else
|
|
echo "Usage: $0 <message> | $0 -F <file> | $0 --stdin"
|
|
echo ""
|
|
echo "Always uses git commit -F to prevent shell injection."
|
|
exit 1
|
|
fi
|
|
|
|
# Stage all changes
|
|
git add -A
|
|
|
|
# Commit using file (no shell expansion of message content)
|
|
git commit -F "$TMPFILE"
|
|
|
|
echo "✓ Committed safely (no shell expansion)"
|