40 lines
1.6 KiB
Bash
40 lines
1.6 KiB
Bash
#!/usr/bin/env bash
|
|
# commit-msg hook: sanitize commit messages to prevent shell injection
|
|
# Issue: #1430 — memory_mine.py ran during git commit due to backtick substitution
|
|
#
|
|
# Problem: git commit -m "message with `code`" triggers shell evaluation
|
|
# of backtick-wrapped content during hook processing.
|
|
#
|
|
# Fix: Strip or escape backticks from commit messages before they reach hooks.
|
|
# Safe pattern: use git commit -F <file> instead of -m for code-containing messages.
|
|
|
|
COMMIT_MSG_FILE="$1"
|
|
MSG=$(cat "$COMMIT_MSG_FILE")
|
|
|
|
# Check for unescaped backticks (shell substitution risk)
|
|
if echo "$MSG" | grep -q '`'; then
|
|
echo "⚠️ WARNING: Commit message contains backtick characters."
|
|
echo " Backticks trigger shell substitution during hook processing."
|
|
echo ""
|
|
echo " SAFE ALTERNATIVES:"
|
|
echo " 1. Use single quotes in code examples: 'code here'"
|
|
echo " 2. Use fenced code blocks with 4-space indent instead of backticks"
|
|
echo " 3. Write message to file: git commit -F msg.txt"
|
|
echo ""
|
|
echo " Sanitizing: converting backticks to single quotes..."
|
|
|
|
# Sanitize: replace backticks with single quotes
|
|
SANITIZED=$(echo "$MSG" | sed "s/`/'/g")
|
|
echo "$SANITIZED" > "$COMMIT_MSG_FILE"
|
|
|
|
echo " ✓ Backticks replaced. Proceeding with commit."
|
|
fi
|
|
|
|
# Check for $(...) command substitution patterns
|
|
if echo "$MSG" | grep -q '\$('; then
|
|
echo "⚠️ WARNING: Commit message contains \$(...) — possible command injection."
|
|
echo " Escaping dollar signs before parentheses..."
|
|
SANITIZED=$(echo "$MSG" | sed 's/\$(/\$(/g')
|
|
echo "$SANITIZED" > "$COMMIT_MSG_FILE"
|
|
fi
|