Skip to content

fix(#3577): remove shell=True and convert commands to argument lists to prevent command injection #3578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
guptapratykshh wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(#3577): remove shell=True and convert commands to argument lists to prevent command injection #3578

guptapratykshh wants to merge 4 commits into from
+43 −29

Conversation

@guptapratykshh
Copy link
Contributor

@guptapratykshh guptapratykshh commented Jan 15, 2026

Description

this PR fixes #3577 by removing shell=True from git command execution and converting all f-string commands to argument lists infacade worker.

Signed commits

  • Yes, I signed my commits.

shlokgilda
shlokgilda requested changes Jan 15, 2026
View reviewed changes
Copy link
Collaborator

@shlokgilda shlokgilda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

took a look at this - the fix is solid. nice catch on the shell=True issue.

couple notes from testing:

  1. git itself actually blocks the injection chars (backticks, $(), ;) in branch names - so the real attack surface was narrower than we initially thought. but | and & are still allowed, which could be exploited with shell=True, so this fix is still the right call.
  2. please confirm the intent behind the switch from git remote show origin | sed to git symbolic-ref.
  3. tiny nit: cmd: list could be cmd: list[str] for better type hints

@guptapratykshh
fix(chaoss#3577): remove shell=True and convert commands to argument …
c678903 
…lists to prevent command injection

Signed-off-by: guptapratykshh <pratykshgupta9999@gmail.com>
@guptapratykshh
fix(chaoss#3577): implement python-based remote default parsing and s…
3da58ce 
…trict typing

Replaces git symbolic-ref with git remote show origin parsed in Python to ensure accuracy while preventing command injection. Updates type hints.

Signed-off-by: guptapratykshh <pratykshgupta9999@gmail.com>
@guptapratykshh guptapratykshh force-pushed the fix/command-injection-facade-worker branch from b1913f4 to 3da58ce Compare January 15, 2026 16:52
shlokgilda
shlokgilda requested changes Jan 15, 2026
View reviewed changes
Copy link
Collaborator

@shlokgilda shlokgilda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR looks good. Once you create the helper function, I think we are GTG

@guptapratykshh
refactor: extract remote branch parsing to helper and clean up debug …
a71e04f 
…code

Signed-off-by: guptapratykshh <pratykshgupta9999@gmail.com>
@guptapratykshh guptapratykshh force-pushed the fix/command-injection-facade-worker branch from 1ca8aad to a71e04f Compare January 15, 2026 18:24
shlokgilda
shlokgilda previously approved these changes Jan 15, 2026
View reviewed changes
Copy link
Collaborator

@shlokgilda shlokgilda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

MoralCode
MoralCode reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

@MoralCode MoralCode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall i like the move to the list-based args and not using shell=True. Theres a couple unrelated changes in here though

augur/tasks/git/util/facade_worker/facade_worker/repofetch.py Outdated

getremotedefault = (
f"git -C {absolute_path} remote show origin | sed -n '/HEAD branch/s/.*: //p'")
getremotedefault = ["git", "-C", absolute_path, "symbolic-ref", "refs/remotes/origin/HEAD"]
Copy link
Contributor

@MoralCode MoralCode Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to confirm that this is functionally the same

Copy link
Contributor Author

@guptapratykshh guptapratykshh Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

@guptapratykshh guptapratykshh force-pushed the fix/command-injection-facade-worker branch from b14e877 to bd88239 Compare January 15, 2026 19:35
@guptapratykshh
style: revert logging format to use joined command list
8d7d2a3 
Signed-off-by: guptapratykshh <pratykshgupta9999@gmail.com>
@guptapratykshh guptapratykshh force-pushed the fix/command-injection-facade-worker branch from bd88239 to 8d7d2a3 Compare January 15, 2026 19:35
shlokgilda
shlokgilda approved these changes Jan 15, 2026
View reviewed changes
Copy link
Collaborator

@shlokgilda shlokgilda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sgoggins sgoggins added the high priority Blocking multiple other things, causing data loss, or other incredibly urgent things label Jan 20, 2026
@sgoggins sgoggins self-assigned this Jan 20, 2026
@MoralCode MoralCode added this to the v0.93.0 milestone Jan 21, 2026
MoralCode
MoralCode reviewed Jan 21, 2026
View reviewed changes
augur/tasks/git/util/facade_worker/facade_worker/repofetch.py
Comment on lines -417 to +418
return_code_remote, remotedefault = facade_helper.run_git_command(
return_code_remote, output = facade_helper.run_git_command(
Copy link
Contributor

@MoralCode MoralCode Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this feels like we are maybe duplicating a lot of code here. Can we maybe refactor some of this git access type of stuff into shared functions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MoralCode MoralCode MoralCode left review comments

@shlokgilda shlokgilda shlokgilda approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

@sgoggins sgoggins

Labels

high priority Blocking multiple other things, causing data loss, or other incredibly urgent things

Projects

None yet

Milestone

v0.93.0

Development

Successfully merging this pull request may close these issues.

shell=True could lead to injection in Facade Worker

4 participants

@guptapratykshh @shlokgilda @MoralCode @sgoggins