negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

refactor: centralize pre-commit file filtering

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 03:35:56 +01:00
parent 91c49dd0ea
commit c1655982d4
5 changed files with 119 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
test/git-hooks-pre-commit.integration.test.ts Normal file
View File

@@ -0,0 +1,55 @@
import { execFileSync } from "node:child_process";
import { chmodSync, copyFileSync } from "node:fs";
import { mkdir, mkdtemp, writeFile } from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
const run = (cwd: string, cmd: string, args: string[] = []) => {
return execFileSync(cmd, args, { cwd, encoding: "utf8" }).trim();
};
describe("git-hooks/pre-commit (integration)", () => {
it("does not treat staged filenames as git-add flags (e.g. --all)", async () => {
const dir = await mkdtemp(path.join(os.tmpdir(), "openclaw-pre-commit-"));
run(dir, "git", ["init", "-q"]);
run(dir, "git", ["config", "user.email", "test@example.com"]);
run(dir, "git", ["config", "user.name", "Test"]);
// Copy the hook + helpers so the test exercises real on-disk wiring.
await mkdir(path.join(dir, "git-hooks"), { recursive: true });
await mkdir(path.join(dir, "scripts", "pre-commit"), { recursive: true });
copyFileSync(
path.join(process.cwd(), "git-hooks", "pre-commit"),
path.join(dir, "git-hooks", "pre-commit"),
);
copyFileSync(
path.join(process.cwd(), "scripts", "pre-commit", "run-node-tool.sh"),
path.join(dir, "scripts", "pre-commit", "run-node-tool.sh"),
);
copyFileSync(
path.join(process.cwd(), "scripts", "pre-commit", "filter-staged-files.mjs"),
path.join(dir, "scripts", "pre-commit", "filter-staged-files.mjs"),
);
chmodSync(path.join(dir, "git-hooks", "pre-commit"), 0o755);
chmodSync(path.join(dir, "scripts", "pre-commit", "run-node-tool.sh"), 0o755);
await writeFile(path.join(dir, "tracked.txt"), "initial\n");
run(dir, "git", ["add", "--", "tracked.txt"]);
run(dir, "git", ["commit", "-qm", "init"]);
// Create changes that should NOT be staged by the hook.
await writeFile(path.join(dir, "secret.txt"), "do-not-stage\n"); // untracked, not ignored
await writeFile(path.join(dir, "tracked.txt"), "changed\n"); // tracked, but not staged
// Stage a maliciously-named file. Older hooks using `xargs git add` could run `git add --all`.
await writeFile(path.join(dir, "--all"), "flag\n");
run(dir, "git", ["add", "--", "--all"]);
// Run the hook directly (same logic as when installed via core.hooksPath).
run(dir, "bash", ["git-hooks/pre-commit"]);
const staged = run(dir, "git", ["diff", "--cached", "--name-only"]).split("\n").filter(Boolean);
expect(staged).toEqual(["--all"]);
});
});

7
test/git-hooks-pre-commit.test.ts
View File

@@ -16,8 +16,11 @@ describe("git-hooks/pre-commit", () => {
// Option-injection hardening: always pass paths after "--".
expect(script).toMatch(/\ngit add -- /);
// The original bug used whitespace + xargs, and passed unsafe flags.
// The original bug used whitespace + xargs.
expect(script).not.toMatch(/xargs\s+git add/);
expect(script).not.toMatch(/--no-error-on-unmatched-pattern/);
// Expected helper wiring for consistent tool invocation.
expect(script).toMatch(/scripts\/pre-commit\/run-node-tool\.sh/);
expect(script).toMatch(/scripts\/pre-commit\/filter-staged-files\.mjs/);
});
});