Skip to content

🛡️ Sentinel: [MEDIUM] Hardening Git and HTTP operations in remote_fetch#19

Draft
T-ahamed2 wants to merge 3 commits into
mainfrom
sentinel-git-http-hardening-11274516767056671896
Draft

🛡️ Sentinel: [MEDIUM] Hardening Git and HTTP operations in remote_fetch#19
T-ahamed2 wants to merge 3 commits into
mainfrom
sentinel-git-http-hardening-11274516767056671896

Conversation

@T-ahamed2

Copy link
Copy Markdown
Owner

🚨 Severity: MEDIUM
💡 Vulnerability: Potential argument injection in Git commands and resource exhaustion via indefinite HTTP hangs.
🎯 Impact: An attacker providing a malicious Git ref starting with a hyphen could potentially inject CLI flags. Lack of HTTP timeouts could lead to DoS through resource exhaustion.
🔧 Fix: Added '--' to Git commands, implemented HTTP timeouts, and ensured context propagation for child processes.
✅ Verification: Ran 'go test ./pkg/parser/...' and 'make agent-report-progress-lint'. Core tests passed.


PR created automatically by Jules for task 11274516767056671896 started by @T-ahamed2

- Fix Git argument injection by adding '--' separator to all git commands involving user-controlled inputs (refs, paths, repo URLs).
- Prevent resource exhaustion by replacing http.DefaultClient with a timed client (DefaultHTTPClientTimeout) in public API fallback paths.
- Improve process management by using exec.CommandContext in downloadFileViaGit and downloadFileViaGitClone to properly propagate cancellation.
- Add security learning to .jules/sentinel.md.
@google-labs-jules

Copy link
Copy Markdown

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 716dbaf8-c1c1-49ef-ba15-bc6088244941

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sentinel-git-http-hardening-11274516767056671896

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances security and resource management by introducing the -- separator in Git commands to prevent argument injection, replacing http.DefaultClient with a custom client that enforces timeouts, and utilizing exec.CommandContext to respect context lifecycles. The reviewer identified two critical issues where the -- separator was placed incorrectly: in git archive, placing it before the tree-ish ref instead of the path will cause the command to fail, and in git checkout, placing it before the commit SHA ref incorrectly forces Git to treat the commit as a pathspec.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

// #nosec G204 -- repoURL, ref, and path are from workflow import configuration authored by the
// developer; exec.Command with separate args (not shell execution) prevents shell injection.
cmd := exec.Command("git", "archive", "--remote="+repoURL, ref, path)
cmd := exec.CommandContext(ctx, "git", "archive", "--remote="+repoURL, "--", ref, path)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

In git archive, the -- separator marks the end of options and the start of paths/files, not the tree-ish (ref). Placing -- before ref causes git to treat ref as a pathspec rather than the target tree-ish, which will cause the command to fail. The correct syntax is git archive [options] <tree-ish> -- <path>.

Suggested change
cmd := exec.CommandContext(ctx, "git", "archive", "--remote="+repoURL, "--", ref, path)
cmd := exec.CommandContext(ctx, "git", "archive", "--remote="+repoURL, ref, "--", path)

Comment thread pkg/parser/remote_fetch.go Outdated

// Now checkout the specific commit
checkoutCmd := exec.Command("git", "-C", tmpDir, "checkout", ref)
checkoutCmd := exec.CommandContext(ctx, "git", "-C", tmpDir, "checkout", "--", ref)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

In git checkout, the -- separator is used to distinguish between branches/commits and file paths. Placing -- before ref forces git to treat ref as a pathspec (file/directory path) to restore, rather than a commit/branch to checkout. Since ref is a 40-character commit SHA (as isSHA is true), it cannot start with a hyphen and does not need protection from option injection. Removing -- ensures the commit is correctly checked out.

Suggested change
checkoutCmd := exec.CommandContext(ctx, "git", "-C", tmpDir, "checkout", "--", ref)
checkoutCmd := exec.CommandContext(ctx, "git", "-C", tmpDir, "checkout", ref)

- Fix Git argument injection by adding '--' separator to git commands.
- Prevent resource exhaustion by enforcing HTTP timeouts and context propagation.
- Address CI failures in link-check by ensuring reports/ directory existence.
- Resolve error-message-lint and other linting issues (defer in loops, string checks).
- Add security learning to .jules/sentinel.md.
This commit hardens the application against Git argument injection by adding the `--` separator to all Git subprocess calls. It also mitigates resource exhaustion risks by implementing HTTP timeouts and ensuring subprocesses respect context cancellation.

- Prevent Git flag injection in clone, ls-remote, archive, and checkout.
- Implement DefaultHTTPClientTimeout (30s) for remote fetches.
- Use exec.CommandContext for improved process management.
- Refactor error messages to include constructive guidance and examples while preserving operational context.
- Fix CI link-check failure by maintaining reports/ directory.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant