Sentinel: [CRITICAL] Fix command injection in git utils

[kratos06]

🛡️ Sentinel: [CRITICAL] Fix command injection vulnerability in git utilities

Vulnerability:
The previous implementation used child_process.exec to execute git commands, which spawns a shell. User inputs (e.g., search queries, commit hashes) were concatenated directly into the command string. This allowed potential Command Injection if a malicious input contained shell metacharacters (e.g., ; rm -rf /).

Impact:
An attacker could execute arbitrary commands on the victim's machine by supplying a crafted search query or commit hash through the extension's UI.

Fix:
Replaced exec with execFile. execFile executes the command directly without spawning a shell and accepts arguments as an array. This treats all arguments as data, effectively neutralizing the injection vector.

Verification:

• Ran src/utils/__tests__/git.spec.ts which now verifies that execFile is called with the correct array of arguments.
• Verified that functionality remains equivalent for valid inputs.

---

PR created automatically by Jules for task 4753336373752895960 started by @kratos06

---

Summary by cubic

Fixes a critical command injection vulnerability in git utilities by replacing child_process.exec with execFile and using argument arrays. This removes shell parsing and blocks arbitrary command execution from malicious inputs.

• Bug Fixes
  • Switched all git calls in src/utils/git.ts to execFile with safe args.
  • Refactored searchCommits, getCommitInfo, and getWorkingState to build argument arrays.
  • Updated tests to mock execFile and verify arguments.
  • Added security note in .jules/sentinel.md.

^{Written for commit 8191237. Summary will update on new commits.}

Summary by CodeRabbit

• Bug Fixes

  • Enhanced security of command execution in git operations.

• Tests

  • Updated test suite to align with command execution improvements.

• Documentation

  • Added documentation on secure command execution patterns and best practices.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

Security refactoring that migrates from child_process.exec to child_process.execFile to prevent command injection vulnerabilities. Arguments are passed as separate arrays instead of shell command strings, with updated tests and implementation.

Changes

Cohort / File(s)	Summary
Documentation \.jules/sentinel.md	Adds Markdown documentation describing a Command Injection vulnerability via child_process.exec, including learning points and prevention strategies using execFile.
Implementation src/utils/git.ts	Replaces child_process.exec with execFile; updates all git command invocations to pass arguments as arrays; maintains functional equivalence with adjusted error handling.
Tests src/utils/__tests__/git.spec.ts	Updates test suite to replace exec with execFile; renames type aliases ExecFunction→ExecFileFunction and PromisifiedExec→PromisifiedExecFile; refactors mock implementations to handle separate file and args parameters; adjusts all test cases (install check, commit search, commit info, working state, repository info) for new invocation signatures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 With shell spawning gone, our commands run bare,
No meta-chars hidden in argument air,
From exec's risky dance to execFile's care,
Each array of args, cleanly paired—
Injection attacks? Not today, friends, I swear! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is comprehensive and addresses the vulnerability, impact, fix, and verification. However, it does not follow the required template structure with sections like 'Related GitHub Issue', 'Test Procedure', and the 'Pre-Submission Checklist'.	Restructure the description to include required template sections: Related GitHub Issue, Test Procedure, and Pre-Submission Checklist. Link the PR to the approved GitHub Issue as mandated by the contributing guidelines.
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main security fix—replacing child_process.exec with execFile to prevent command injection in git utilities.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 3 files