Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in git utils #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kratos06 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in git utils #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-22 - Command Injection in Git Utils
Copy link

@coderabbitai coderabbitai bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Incorrect date in the security note.

The heading says "2024-05-22" but this PR was created on 2026-02-06. This appears to be an error β€” consider updating to the correct date.

πŸ€– Prompt for AI Agents 
In @.jules/sentinel.md at line 1, Update the heading date in .jules/sentinel.md
from "2024-05-22 - Command Injection in Git Utils" to the correct PR creation
date "2026-02-06 - Command Injection in Git Utils" so the security note reflects
the accurate timestamp.

Copy link

@cubic-dev-ai cubic-dev-ai bot Feb 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3: The date in the security note heading is incorrect. The note says '2024-05-22' but this fix was created on 2026-02-06. Update the date to reflect when this vulnerability was actually discovered and fixed.

Prompt for AI agents 
Check if this issue is valid β€” if so, understand the root cause and fix it. At .jules/sentinel.md, line 1:

<comment>The date in the security note heading is incorrect. The note says '2024-05-22' but this fix was created on 2026-02-06. Update the date to reflect when this vulnerability was actually discovered and fixed.</comment>

<file context>
@@ -0,0 +1,4 @@
+## 2024-05-22 - Command Injection in Git Utils
+**Vulnerability:** Found a critical Command Injection vulnerability in `src/utils/git.ts`. The `searchCommits` function used `child_process.exec` with user-supplied input interpolated directly into the command string (`git log ... --grep="${query}"`). This allowed arbitrary command execution via shell metacharacters.
+**Learning:** `child_process.exec` spawns a shell (/bin/sh or cmd.exe) which interprets the command string. Always assume inputs destined for `exec` are hostile. `execFile` or `spawn` should be preferred as they execute the binary directly and treat arguments as literal strings, bypassing the shell.
</file context>
Fix with Cubic

**Vulnerability:** Found a critical Command Injection vulnerability in `src/utils/git.ts`. The `searchCommits` function used `child_process.exec` with user-supplied input interpolated directly into the command string (`git log ... --grep="${query}"`). This allowed arbitrary command execution via shell metacharacters.
**Learning:** `child_process.exec` spawns a shell (/bin/sh or cmd.exe) which interprets the command string. Always assume inputs destined for `exec` are hostile. `execFile` or `spawn` should be preferred as they execute the binary directly and treat arguments as literal strings, bypassing the shell.
**Prevention:** Use `child_process.execFile` (or `spawn`) with an array of arguments instead of `exec` with a command string. Ensure user input is never concatenated into a command string that is passed to a shell.
Loading