fix(win): harden artifact.c git shell-outs against unquoted/unvalidated repo paths#886
Merged
DeusData merged 1 commit intoJul 5, 2026
Conversation
…ed repo paths
artifact.c shells out to git twice via cbm_popen with the repo path interpolated
straight into the command:
git -C '%s' rev-parse HEAD 2>/dev/null (git_head_hash)
git -C '%s' config merge.ours.driver true 2>/dev/null (ensure_gitattributes)
Both used SINGLE quotes with NO validation of repo_path. cmd.exe does not honor
single quotes, so on Windows a repo path containing a space broke argument grouping
(the artifact commit hash and merge-driver config silently failed for any spaced repo
path), and an embedded quote or shell metacharacter could break out of the intended
argument. This was the only unvalidated git shell interpolation left in the tree.
Different bug class from the CreateProcess argv-quoting fix (which re-parses a single
command STRING back into argv); this is popen/shell command-string quoting — hence a
separate, atomic PR per review.
Fix: validate repo_path with cbm_artifact_repo_path_is_shell_safe() and switch to
double quotes + a per-platform null device, matching git_context.c (the best-hardened
git shell-out): cbm_validate_shell_arg rejects quote / backslash / substitution
metacharacters, and on Windows we also reject the cmd.exe expansion metacharacters
% ! ^. Double quotes are honored by both POSIX sh and cmd.exe, so a legitimate spaced
repo path now works — the concrete regression the single-quote form caused.
The validator is exposed (artifact.h) and guarded by a new test_artifact.c suite:
plain + spaced paths accepted; quote / ; / $() / backtick / pipe injection rejected;
the cmd.exe metacharacters % ! ^ rejected on Windows (allowed on POSIX, where they are
literal inside double quotes).
Refs: DeusData#881
Signed-off-by: Flipper <jacobphilipp@ymail.com>
6aabf39 to
b0e71f0
Compare
Owner
|
Merged — thank you, @Flipper1994! 🙏 This is a clean, well-targeted hardening: gating both git shell-outs on |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #881 (split out per review). Hardens the git shell-outs in
pipeline/artifact.c— a different bug class from #881'sCreateProcessargv-quoting: this ispopen/shell command-string quoting.The bug
artifact.cshells out to git twice viacbm_popen, interpolating the repo path with single quotes and no validation:cmd.exedoes not honor single quotes, so on Windows a repo path containing a space breaks argument grouping — the artifact commit hash and merge-driver config silently fail for any spaced repo path.repo_pathcould break out of the intended argument.This was the only unvalidated git shell interpolation left in the tree (every other git shell-out —
git_context.c,pass_githistory.c,watcher.c,mcp.c— already validates and double-quotes).Fix
repo_pathwithcbm_artifact_repo_path_is_shell_safe()and switch to double quotes + a per-platform null device, matchinggit_context.c(the best-hardened git shell-out).cbm_validate_shell_argrejects quote / backslash / substitution metacharacters; on Windows we additionally reject thecmd.exeexpansion metacharacters% ! ^.shandcmd.exe, so a legitimate spaced repo path now works — the concrete regression the single-quote form caused.Test
New guard suite in
tests/test_artifact.cfor the exposedcbm_artifact_repo_path_is_shell_safe():;/$()/ backtick / pipe injection rejected,cmd.exemetacharacters% ! ^rejected on Windows (allowed on POSIX, where they are literal inside double quotes).Scope
Atomic to the artifact.c shell-quoting hardening. No behavior change on valid paths except that spaced paths now work on Windows.
Refs #881.