Secure shared .gtrconfig commands behind trust (#163)

* Address thresher.sh findings, introduce trust flow for injectable code, remove path traversal vuln, harden workflows for supplychain attacks

* Updated items based on CONTRIBUTING.md

* fix: address PR 162 regressions

* fix: harden adapter and trust handling

* fix: harden adapter execution and trust markers

* fix: allow override adapters without PATH lookup

* fix: avoid trust marker temp leaks

* refactor: clean adapter parsing and init trust helpers

* Address CodeRabbit review: relax argv validation and fail closed hook trust

* fix: trust-gate gtrconfig tool defaults

* fix: correct fish gtrconfig path regex

* fix: harden fish gtrconfig trust helpers

---------

Co-authored-by: shadowcodex <1348053+shadowcodex@users.noreply.github.com>

Author: helizaga

.github/workflows/homebrew.yml

@@ -4,13 +4,15 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   homebrew:
     name: Bump Homebrew formula
     runs-on: ubuntu-latest
     if: ${{ !github.event.release.prerelease }}
     steps:
-      - uses: mislav/bump-homebrew-formula-action@v3
+      - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3
         with:
           formula-name: git-gtr
           formula-path: Formula/git-gtr.rb

.github/workflows/lint.yml

@@ -6,12 +6,14 @@ on:
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   shellcheck:
     name: ShellCheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install ShellCheck
         run: sudo apt-get update && sudo apt-get install -y shellcheck
@@ -24,7 +26,7 @@ jobs:
     name: Completions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Verify completion files are up to date
         run: ./scripts/generate-completions.sh --check
@@ -33,7 +35,7 @@ jobs:
     name: Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install BATS
         run: sudo apt-get update && sudo apt-get install -y bats

CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and this
 
 ## [Unreleased]
 
+### Added
+
+- `git gtr trust` now covers `.gtrconfig` `defaults.editor` and `defaults.ai` entries as executable commands, preventing shared config from selecting editor or AI commands until reviewed.
+
 ## [2.7.0] - 2026-04-27
 
 ### Added

README.md

@@ -343,6 +343,16 @@ git gtr clean --merged --force --yes           # Force-clean and auto-confirm
 
 **Note:** The `--merged` mode auto-detects your hosting provider (GitHub or GitLab) from the `origin` remote URL and requires the corresponding CLI tool (`gh` or `glab`) to be installed and authenticated. For self-hosted instances, set the provider explicitly: `git gtr config set gtr.provider gitlab`.
 
+### `git gtr trust`
+
+Review and approve executable commands defined in the repository's `.gtrconfig` file. Hooks and editor/AI defaults from `.gtrconfig` are **not used** until explicitly trusted — this prevents malicious contributors from injecting arbitrary shell commands via shared config files.
+
+```bash
+git gtr trust                              # Review and approve .gtrconfig commands
+```
+
+Trust is stored per repository path plus executable command definitions and must be re-approved if hooks or editor/AI defaults change. Hooks and defaults from your local git config (`.git/config`, `~/.gitconfig`) are always trusted.
+
 ### Other Commands
 
 - `git gtr doctor` - Health check (verify git, editors, AI tools)
@@ -362,6 +372,14 @@ git gtr config set gtr.editor.default cursor
 # Set your AI tool (aider, auggie, claude, codex, continue, copilot, cursor, gemini, opencode)
 git gtr config set gtr.ai.default claude
 
+# Override-backed adapters may include flags
+git gtr config set gtr.editor.default "nano -w"
+git gtr config set gtr.ai.default "claude --continue"
+
+# Generic fallbacks may use other safe PATH commands
+git gtr config set gtr.editor.default "code --wait"
+git gtr config set gtr.ai.default "bunx @github/copilot@latest"
+
 # Copy env files to new worktrees
 git gtr config add gtr.copy.include "**/.env.example"
 
@@ -394,10 +412,14 @@ git gtr config set gtr.ui.color never
     remote = upstream
 ```
 
+**Command trust:** Hooks and editor/AI defaults defined in `.gtrconfig` require explicit approval before they execute or select tools. Run `git gtr trust` after cloning a repository or when `.gtrconfig` command entries change. This protects against malicious command injection in shared repositories.
+
+**Adapter safety:** Generic `gtr.editor.default` and `gtr.ai.default` values must resolve to safe PATH commands. Filesystem paths such as `./tool` and shell wrapper forms such as `sh -c ...` are rejected. Override-backed adapters like `claude`, `cursor`, and `nano` may include additional flags, for example `claude --continue` or `nano -w`.
+
 **Configuration precedence** (highest to lowest):
 
 1. `git config --local` (`.git/config`) - personal overrides
-2. `.gtrconfig` (repo root) - team defaults
+2. `.gtrconfig` (repo root) - team defaults (hooks and editor/AI defaults require `git gtr trust`)
 3. `git config --global` (`~/.gitconfig`) - user defaults
 
 > For complete configuration reference including all settings, hooks, file copying patterns, and environment variables, see [docs/configuration.md](docs/configuration.md)

adapters/ai/claude.sh

@@ -42,6 +42,7 @@ ai_can_start() {
 ai_start() {
   local path="$1"
   shift
+  local configured_args=("${GTR_AI_CMD_ARGS[@]}")
 
   local claude_cmd
   claude_cmd="$(find_claude_executable)"
@@ -57,5 +58,5 @@ ai_start() {
     return 1
   fi
 
-  (cd "$path" && "$claude_cmd" "$@")
+  (cd "$path" && "$claude_cmd" "${configured_args[@]}" "$@")
 }

adapters/ai/cursor.sh

@@ -11,6 +11,7 @@ ai_can_start() {
 ai_start() {
   local path="$1"
   shift
+  local configured_args=("${GTR_AI_CMD_ARGS[@]}")
 
   if ! ai_can_start; then
     log_error "Cursor not found. Install from https://cursor.com"
@@ -25,9 +26,9 @@ ai_start() {
 
   # Try cursor-agent first, then fallback to cursor CLI commands
   if command -v cursor-agent >/dev/null 2>&1; then
-    (cd "$path" && cursor-agent "$@")
+    (cd "$path" && cursor-agent "${configured_args[@]}" "$@")
   elif command -v cursor >/dev/null 2>&1; then
     # Try various Cursor CLI patterns (implementation varies by version)
-    (cd "$path" && cursor cli "$@") 2>/dev/null || (cd "$path" && cursor "$@")
+    (cd "$path" && cursor cli "${configured_args[@]}" "$@") 2>/dev/null || (cd "$path" && cursor "${configured_args[@]}" "$@")
   fi
 }

adapters/editor/nano.sh

@@ -10,12 +10,18 @@ editor_can_open() {
 # Usage: editor_open path
 editor_open() {
   local path="$1"
+  local configured_args=("${GTR_EDITOR_CMD_ARGS[@]}")
 
   if ! editor_can_open; then
     log_error "Nano not found. Usually pre-installed on Unix systems."
     return 1
   fi
 
+  if [ "${#configured_args[@]}" -gt 0 ]; then
+    (cd "$path" && nano "${configured_args[@]}")
+    return $?
+  fi
+
   # Open nano in the directory (just cd there, nano doesn't open directories)
   log_info "Opening shell in $path (nano doesn't support directory mode)"
   (cd "$path" && exec "$SHELL")

bin/git-gtr

@@ -100,6 +100,9 @@ main() {
     init)
       cmd_init "$@"
       ;;
+    trust)
+      cmd_trust "$@"
+      ;;
     version|--version|-v)
       echo "git gtr version $GTR_VERSION"
       ;;

completions/_git-gtr

@@ -45,6 +45,7 @@ _git-gtr() {
     'config:Manage configuration'
     'completion:Generate shell completions'
     'init:Generate shell integration for cd support'
+    'trust:Trust .gtrconfig commands'
     'version:Show version'
     'help:Show help'
   )

completions/git-gtr.fish

@@ -54,6 +54,7 @@ complete -f -c git -n '__fish_git_gtr_using_command completion' -a 'bash zsh fis
 complete -f -c git -n '__fish_git_gtr_needs_command' -a init -d 'Generate shell integration for cd support'
 complete -f -c git -n '__fish_git_gtr_using_command init' -a 'bash zsh fish' -d 'Shell type'
 complete -c git -n '__fish_git_gtr_using_command init' -l as -d 'Custom function name' -r
+complete -f -c git -n '__fish_git_gtr_needs_command' -a trust -d 'Trust .gtrconfig commands'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a version -d 'Show version'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a help -d 'Show help'