Skip to content

fix(server): Escape update args#532

Merged
ssiyad merged 1 commit into
developfrom
fix/server/escape_update_args
Jun 8, 2026
Merged

fix(server): Escape update args#532
ssiyad merged 1 commit into
developfrom
fix/server/escape_update_args

Conversation

@ssiyad

@ssiyad ssiyad commented Jun 8, 2026

Copy link
Copy Markdown
Member

No description provided.

@greptile-apps

greptile-apps Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Greptile Summary

Escapes url and branch arguments passed into shell commands inside update_agent_web using shlex.quote, preventing shell injection when either value contains special characters. Also adds a branch or "master" fallback so None never reaches shlex.quote.

  • shlex.quote is applied to both git remote set-url upstream <url> and the two git checkout/git merge commands; since subprocess.Popen is called with shell=True, this is the correct quoting approach.
  • The upstream/{shlex.quote(branch)} pattern works correctly: the shell concatenates the bare upstream/ prefix with the single-quoted branch token at runtime.

Confidence Score: 5/5

The change is narrow and correct — it quotes two user-controlled values before interpolating them into shell commands executed with shell=True, eliminating the injection surface without changing any other behavior.

The quoting strategy is appropriate for the shell=True execution model, the None guard is in place, and the upstream/branch concatenation pattern is valid shell syntax. No other code paths are touched.

No files require special attention.

Important Files Changed
Filename Overview
agent/server.py Adds shlex.quote() around url and branch args in update_agent_web; also adds branch = branch or "master" guard to prevent None reaching shlex.quote.

Sequence Diagram

 
sequenceDiagram
    participant Caller
    participant update_agent_web
    participant shlex
    participant subprocess
    participant git

    Caller->>update_agent_web: url, branch (untrusted)
    update_agent_web->>update_agent_web: "branch = branch or "master""
    update_agent_web->>shlex: quote(url)
    shlex-->>update_agent_web: 'escaped_url'
    update_agent_web->>subprocess: "git remote set-url upstream 'escaped_url' (shell=True)"
    subprocess->>git: safe literal arg

    update_agent_web->>shlex: quote(branch)
    shlex-->>update_agent_web: 'escaped_branch'
    update_agent_web->>subprocess: "git checkout 'escaped_branch' (shell=True)"
    subprocess->>git: safe literal arg

    update_agent_web->>subprocess: "git merge --ff-only upstream/'escaped_branch' (shell=True)"
    subprocess->>git: upstream/escaped_branch via shell concatenation
Loading

Reviews (2): Last reviewed commit: "fix(server): Escape update args" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 8, 2026
View reviewed changes
Comment thread agent/server.py
@ssiyad ssiyad force-pushed the fix/server/escape_update_args branch from 8398a74 to 4c3a033 Compare June 8, 2026 17:10
@ssiyad ssiyad merged commit 55f0a01 into develop Jun 8, 2026
4 of 5 checks passed
@ssiyad ssiyad deleted the fix/server/escape_update_args branch June 8, 2026 17:13
@mergify mergify Bot mentioned this pull request Jun 8, 2026
Merged
ssiyad added a commit that referenced this pull request Jun 10, 2026
@ssiyad
Merge pull request #533 from frappe/mergify/bp/master/pr-532
162fe52 
fix(server): Escape update args (backport #532)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@tanmoysrt tanmoysrt Awaiting requested review from tanmoysrt

@Aradhya-Tripathi Aradhya-Tripathi Awaiting requested review from Aradhya-Tripathi

Assignees

No one assigned

Labels

backport-master

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ssiyad