Skip to content

Fix coding git remote auth validation#16

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-a1ed
Draft

Fix coding git remote auth validation#16
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-a1ed

Conversation

@cursor

@cursor cursor Bot commented Jun 19, 2026

Copy link
Copy Markdown

Bug and impact

Coding remote git tools attached the saved GitHub PAT to arbitrary remote values and clone URLs, including plaintext HTTP or attacker-controlled hosts. coding_git_push also accepted raw refspec-like branch values such as :main, allowing remote branch deletion despite the tool being intended for normal branch pushes.

Root cause

The URL guard only checked string prefixes and allowed http:// plus any host. Push/pull/fetch treated model-supplied remote and branch strings as direct git arguments before validating that the remote was a configured GitHub HTTPS remote or that the branch was a simple branch name.

Fix

  • Parse and restrict PAT-backed clone/remote URLs to credential-free https://github.com/....
  • Require push/pull/fetch remotes to be simple configured remote names and validate the configured URL before applying askpass auth.
  • Reject branch inputs that are options, refspecs, HEAD, or invalid branch names.
  • Added targeted unit tests for URL, remote-name, and branch-name validation.

Validation

  • cargo test git_auth --lib (passed: 3 tests).
Open in Web View Automation 

Co-authored-by: g00sifer Development Lab <g00siferdev-py@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant