fix: Command injection via taint analysis

soulteary · soulteary · commit eaf51eb7b6d2 · 2026-03-08T17:43:01.000+08:00
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -849,6 +849,7 @@ func handleHook(ctx context.Context, h *hook.Hook, r *hook.Request, w http.Respo
 	}
 
 	// 使用 exec.CommandContext 替代 exec.Command，支持超时和取消
+	// #nosec G204 G702 -- cmdPath 来自 makeSureCallable：经 exec.LookPath 解析，且已通过 validator.ValidateCommandPath 白名单校验
 	cmd := exec.CommandContext(ctx, cmdPath)
 	cmd.Dir = h.CommandWorkingDirectory
 

Original file line number	Diff line number	Diff line change
`@@ -849,6 +849,7 @@ func handleHook(ctx context.Context, h hook.Hook, r hook.Request, w http.Respo`
`849`	`849`	`}`
`850`	`850`
`851`	`851`	`// 使用 exec.CommandContext 替代 exec.Command，支持超时和取消`
	`852`	`+ // #nosec G204 G702 -- cmdPath 来自 makeSureCallable：经 exec.LookPath 解析，且已通过 validator.ValidateCommandPath 白名单校验`
`852`	`853`	`cmd := exec.CommandContext(ctx, cmdPath)`
`853`	`854`	`cmd.Dir = h.CommandWorkingDirectory`
`854`	`855`