negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: harden pre-commit hook against option injection

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 03:15:31 +01:00
parent dc9808a674
commit ba84b12535
4 changed files with 61 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
test/git-hooks-pre-commit.test.ts Normal file
View File

@@ -0,0 +1,23 @@
import { readFileSync } from "node:fs";
import path from "node:path";
import { describe, expect, it } from "vitest";
describe("git-hooks/pre-commit", () => {
it("avoids option injection and unsafe whitespace parsing", () => {
const scriptPath = path.join(process.cwd(), "git-hooks", "pre-commit");
const script = readFileSync(scriptPath, "utf8");
// NUL-delimited list: supports spaces/newlines in filenames.
expect(script).toMatch(/--name-only/);
expect(script).toMatch(/--diff-filter=ACMR/);
expect(script).toMatch(/\s-z\b/);
expect(script).toMatch(/mapfile -d '' -t files/);
// Option-injection hardening: always pass paths after "--".
expect(script).toMatch(/\ngit add -- /);
// The original bug used whitespace + xargs, and passed unsafe flags.
expect(script).not.toMatch(/xargs\s+git add/);
expect(script).not.toMatch(/--no-error-on-unmatched-pattern/);
});
});