Potential fix for code scanning alert no. 13: Uncontrolled command line#3
Potential fix for code scanning alert no. 13: Uncontrolled command line#3ArshVermaGit merged 1 commit intomainfrom
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| repo_path = self._normalize_repo_path(repo_path) | ||
|
|
||
| # Defense-in-depth: reject invalid/option-like paths before command execution. | ||
| if not repo_path or repo_path.startswith("-") or not os.path.isdir(repo_path): |
| try: | ||
| result = subprocess.run( | ||
| ["git", "-C", repo_path] + args, | ||
| ["git", "-C", "--", repo_path] + args, |
ArshVermaGit
left a comment
ArshVermaGit
left a comment
There was a problem hiding this comment.
This is a thoughtful and defense-in-depth improvement that strengthens the safety guarantees around git execution without altering existing functionality. Hardening the _run_git sink is exactly the right place to centralize validation, since all command flows converge there. Normalizing paths, rejecting empty or non-directory inputs, and explicitly guarding against paths beginning with - closes off common option-injection vectors. Adding -- before repo_path in the git -C invocation is a particularly strong safeguard, ensuring Git will not interpret user-influenced paths as flags even in edge cases. Retaining the linked-repo allowlist preserves intended behavior while preventing arbitrary path access, and the fact that this single change mitigates all three alert variants keeps the solution clean and maintainable. Overall, this is a precise and well-scoped hardening step that meaningfully reduces command-line injection risk while respecting the current architecture.
2 participants
Potential fix for https://github.com/ArshVermaGit/SentinelOps-Autonomous-DevOps-AI/security/code-scanning/13
General fix: enforce strict validation immediately before process execution so only safe, expected repository paths are accepted, and prevent argument confusion in
git -Cby terminating option parsing.Best fix here (without changing functionality): in
sentinelops-backend/app/services/local_git_service.py, harden_run_gitby:-(defense-in-depth for option injection).--beforerepo_pathin git argv:["git", "-C", "--", repo_path] + argsso git does not parse repo path as an option.This single sink hardening addresses all three alert variants, since they all flow into
_run_git.No router changes are required for this specific fix.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.