Skip to content

[plugins][security] Harden git argv against command-line injection (3 CodeQL high alerts) #6

Description

@kreneskyp

Context

CodeQL reports 3 high-severity js/second-order-command-line-injection alerts in src/resolve.ts on main. They are pre-existing in the git resolver (NOT introduced by the discovery or npm features — those are tracked separately). Source-descriptor fields (repo, url, ref, sha) flow into the git argv via execFileSync. execFileSync avoids a shell, but git itself interprets a leading-- argument as an option — e.g. a ref of --upload-pack=<cmd> or an --output=… value becomes a flag (second-order argument injection).

This is the "separate PR" agreed during review for the pre-existing git alerts.

Alert locations (src/resolve.ts)

  • defaultGitRunnerexecFileSync("git", args, …) (~line 20).
  • git clone --filter=blob:none --no-checkout <url> … / git fetch … origin built from source.url/repo (~lines 122/128).
  • git checkout --detach <wanted> where wanted = source.sha ?? source.ref ?? "HEAD" (~lines 137–138).

Tasks

  • Extend the existing reqArg guard (src/sources.ts — added in feat: resolve npm sources via npm pack #3; rejects values beginning with -) to the git source fields in normalizeSource: apply to github.repo, git.url, git-subdir.url, url.url.
  • Guard ref / sha against option-like values (these are not validated in normalizeSource today) — reject a leading - before they reach git checkout. (Note: git checkout -- <ref> does not accept -- cleanly before a ref, so prefer rejection over an argv separator.)
  • Confirm resolveSource calls normalizeSource before any git invocation (it does — keep it that way).
  • Add tests for each rejected field (repo/url/ref/sha beginning with -SourceError).
  • Add the corresponding spec constraints/ACs (mirror FR-004-CON-3) + TC rows; keep 100% coverage.
  • Open as its own PR off main (do NOT fold into feat: plugin discovery (search npm/GitHub for compatible plugins) #2/feat: resolve npm sources via npm pack #3).

Acceptance criteria

  • The 3 CodeQL alerts are resolved (no high second-order-command-line-injection on the branch).
  • Option-like repo/url/ref/sha are rejected with SourceError (tests).
  • src/** stays at 100% coverage; quire validate clean.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    pluginsPlugin system / discovery / marketplace

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions