fix: prevent Git argument injection RCE (#542)

wsutina · web-flow · commit 11a3ef7ff8fe · 2026-02-17T17:57:09.000+11:00
## Problem Malicious Git URLs starting with `--` could inject command-line arguments into git commands, potentially executing arbitrary code during package installation or validation. ## Fixes 1. Validate URLs - Reject URLs starting with `-` 2. Argument separator - Add `--` in all git commands to separate options from arguments ## Test ``` description = "Malicious package" binaries = ["evil"] source = "--upload-pack=sh -c 'echo PWNED > /tmp/hermit-pwned' #https://github.com/fake/repo.git" version "1.0.0" { } ``` <img width="1829" height="423" alt="Screenshot 2026-02-17 at 5 03 20 pm" src="https://github.com/user-attachments/assets/d520134a-4c3f-4d78-9977-3e2dc758060d" />
diff --git a/cache/git.go b/cache/git.go
@@ -23,12 +23,16 @@ func (s *gitSource) OpenLocal(c *Cache, checksum string) (*os.File, error) {
 func (s *gitSource) Download(b *ui.Task, cache *Cache, checksum string) (string, string, string, error) {
 	base := BasePath(checksum, s.URL)
 	checkoutDir := filepath.Join(cache.root, base)
-	repo, tag := parseGitURL(s.URL)
-	args := []string{"git", "clone", "--depth=1", repo, checkoutDir}
+	repo, tag, err := parseGitURL(s.URL)
+	if err != nil {
+		return "", "", "", err
+	}
+	args := []string{"git", "clone", "--depth=1"}
 	if tag != "" {
 		args = append(args, "--branch="+tag)
 	}
-	err := util.RunInDir(b, cache.root, args...)
+	args = append(args, "--", repo, checkoutDir)
+	err = util.RunInDir(b, cache.root, args...)
 	if err != nil {
 		return "", "", "", errors.WithStack(err)
 	}
@@ -43,11 +47,14 @@ func (s *gitSource) Download(b *ui.Task, cache *Cache, checksum string) (string,
 }
 
 func (s *gitSource) ETag(b *ui.Task) (etag string, err error) {
-	repo, tag := parseGitURL(s.URL)
+	repo, tag, err := parseGitURL(s.URL)
+	if err != nil {
+		return "", err
+	}
 	if tag == "" {
 		tag = "HEAD"
 	}
-	bts, err := util.Capture(b, "git", "ls-remote", repo, tag)
+	bts, err := util.Capture(b, "git", "ls-remote", "--", repo, tag)
 	if err != nil {
 		return "", errors.Wrap(err, s.URL)
 	}
@@ -61,23 +68,32 @@ func (s *gitSource) ETag(b *ui.Task) (etag string, err error) {
 }
 
 func (s *gitSource) Validate() error {
-	repo, tag := parseGitURL(s.URL)
+	repo, tag, err := parseGitURL(s.URL)
+	if err != nil {
+		return err
+	}
 	if tag == "" {
 		tag = "HEAD"
 	}
-	cmd := exec.Command("git", "ls-remote", repo, tag)
+	cmd := exec.Command("git", "ls-remote", "--", repo, tag)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return errors.Wrapf(err, "error getting remote HEAD: %s", string(out))
 	}
 	return nil
 }
 
-func parseGitURL(source string) (repo, tag string) {
+func parseGitURL(source string) (repo, tag string, err error) {
 	parts := strings.SplitN(source, "#", 2)
 	repo = parts[0]
+
+	// Validate repo doesn't start with dash to prevent argument injection
+	if strings.HasPrefix(repo, "-") {
+		return "", "", errors.Errorf("invalid git URL: repository cannot start with '-': %s", repo)
+	}
+
 	if len(parts) > 1 {
 		tag = parts[1]
 	}
-	return
+	return repo, tag, nil
 }
diff --git a/cache/source_test.go b/cache/source_test.go
@@ -1,16 +1,111 @@
 package cache
 
 import (
+	"os"
+	"os/exec"
+	"path/filepath"
 	"testing"
 
 	"github.com/alecthomas/assert/v2"
 )
 
 func TestGitParseRepo(t *testing.T) {
-	repo, tag := parseGitURL("org-49461806@github.com:squareup/orc.git")
+	repo, tag, err := parseGitURL("org-49461806@github.com:squareup/orc.git")
+	assert.NoError(t, err)
 	assert.Equal(t, "org-49461806@github.com:squareup/orc.git", repo)
 	assert.Equal(t, "", tag)
-	repo, tag = parseGitURL("org-49461806@github.com:squareup/orc.git#v1.2.3")
+	repo, tag, err = parseGitURL("org-49461806@github.com:squareup/orc.git#v1.2.3")
+	assert.NoError(t, err)
 	assert.Equal(t, "org-49461806@github.com:squareup/orc.git", repo)
 	assert.Equal(t, "v1.2.3", tag)
 }
+
+func TestParseGitURLArgumentInjection(t *testing.T) {
+	tests := []struct {
+		url         string
+		expectError bool
+	}{
+		{"--upload-pack=sh -c 'echo OWNED' #file:///tmp/repo/.git", true},
+		{"--config core.sshCommand='touch /tmp/pwned' git@github.com:fake/repo.git", true},
+		{"-v https://github.com/user/repo.git", true},
+		{"https://github.com/cashapp/hermit.git#v1.0.0", false},
+		{"git@github.com:cashapp/hermit.git#main", false},
+		{"file:///path/to/repo.git", false},
+	}
+
+	for _, tt := range tests {
+		_, _, err := parseGitURL(tt.url)
+		if tt.expectError {
+			assert.Error(t, err, "Should reject: "+tt.url)
+		} else {
+			assert.NoError(t, err, "Should accept: "+tt.url)
+		}
+	}
+}
+
+// TestGitSourcePreventRCE verifies all git operations reject malicious URLs.
+func TestGitSourcePreventRCE(t *testing.T) {
+	tmpDir := t.TempDir()
+	pwnedFile := filepath.Join(tmpDir, "pwned")
+	maliciousURL := "--upload-pack=sh -c 'echo OWNED > " + pwnedFile + "' #file://" + tmpDir + "/.git"
+
+	src := &gitSource{URL: maliciousURL}
+	err := src.Validate()
+	assert.Error(t, err)
+
+	cache := &Cache{root: tmpDir}
+	_, _, _, err = src.Download(nil, cache, "test")
+	assert.Error(t, err)
+
+	_, err = src.ETag(nil)
+	assert.Error(t, err)
+
+	_, fileErr := os.Stat(pwnedFile)
+	assert.True(t, os.IsNotExist(fileErr))
+}
+
+// TestGitSourceRCEAttempt simulates a real attack with an actual git repository.
+func TestGitSourceRCEAttempt(t *testing.T) {
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("git command not found")
+	}
+
+	tmpDir := t.TempDir()
+	repoDir := filepath.Join(tmpDir, "repo")
+	assert.NoError(t, os.MkdirAll(repoDir, 0750))
+	assert.NoError(t, exec.Command("git", "init", repoDir).Run())
+
+	pwnedFile := filepath.Join(tmpDir, "pwned")
+	payload := "--upload-pack=sh -c 'echo OWNED > " + pwnedFile + "' #file://" + repoDir + "/.git"
+
+	src := &gitSource{URL: payload}
+	err := src.Validate()
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid git URL")
+
+	_, fileErr := os.Stat(pwnedFile)
+	if !os.IsNotExist(fileErr) {
+		t.Fatal("SECURITY FAILURE: RCE was NOT prevented!")
+	}
+}
+
+func TestGitURLParsing(t *testing.T) {
+	tests := []struct {
+		url  string
+		repo string
+		tag  string
+	}{
+		{"org-49461806@github.com:squareup/orc.git", "org-49461806@github.com:squareup/orc.git", ""},
+		{"org-49461806@github.com:squareup/orc.git#v1.2.3", "org-49461806@github.com:squareup/orc.git", "v1.2.3"},
+		{"https://github.com/cashapp/hermit.git#main", "https://github.com/cashapp/hermit.git", "main"},
+		{"file:///home/user/repo.git#develop", "file:///home/user/repo.git", "develop"},
+	}
+
+	for _, tt := range tests {
+		repo, tag, err := parseGitURL(tt.url)
+		assert.NoError(t, err)
+		assert.Equal(t, tt.repo, repo)
+		assert.Equal(t, tt.tag, tag)
+	}
+}
