CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-06-25 02:59:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge PR #1368: pass cwd to git via execFileSync, not interpolation through /bin/sh

Browse Source
This commit is contained in:
Garry Tan
2026-05-08 21:42:08 -07:00
parent 9cffb1575d d173a651a0
commit 99402350db
2 changed files with 54 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bin/gstack-memory-ingest.ts
+8 -1
View File
@@ -632,9 +632,16 @@ function extractContentText(rec: any): string {
function resolveGitRemote(cwd: string): string {
if (!cwd) return "";
try {
const out = execSync(`git -C ${JSON.stringify(cwd)} remote get-url origin 2>/dev/null`, {
// execFileSync (no shell) so `cwd` cannot trigger command substitution.
// Transcript JSONL records are an untrusted surface (a poisoned `.cwd`
// value containing `"$(...)"` survived `JSON.stringify` interpolation
// into a `/bin/sh -c` context, since JSON quoting does not escape `$`
// or backticks). Mirrors the execFileSync pattern this module already
// uses for `gbrainAvailable()` (line 762) and `gbrainPutPage()` (line 816).
const out = execFileSync("git", ["-C", cwd, "remote", "get-url", "origin"], {
encoding: "utf-8",
timeout: 2000,
stdio: ["ignore", "pipe", "ignore"],
});
return canonicalizeRemote(out.trim());
} catch {