From d68ea1e4705108d5f2f2b615e814f82a2893402e Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 23 Jun 2026 16:33:28 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL/H?= =?UTF-8?q?IGH]=20Fix=20git=20fsmonitor=20RCE=20vulnerability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added `_SAFE_GIT_CONFIG = ("-c", "core.fsmonitor=false")` to `src/wardline/core/delta.py` and `src/wardline/core/legis.py` and updated all `subprocess.run(["git", ...])` calls to use it. This prevents arbitrary local code execution when running git commands against untrusted repositories containing malicious `.git/config` files that exploit the `core.fsmonitor` setting. Updated the mock arguments in `tests/unit/core/test_delta.py` to match the new invocation. Co-authored-by: tachyon-beep <544926+tachyon-beep@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ src/wardline/core/delta.py | 10 ++++++---- src/wardline/core/legis.py | 6 ++++-- tests/unit/core/test_delta.py | 20 ++++++++++++++++++-- 4 files changed, 32 insertions(+), 8 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 00000000..515a910d --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## $(date +%Y-%m-%d) - Prevent RCE via malicious .git/config core.fsmonitor +**Vulnerability:** Invoking `git` operations (like `diff` or `ls-files`) programmatically in untrusted repositories without overriding configuration can allow arbitrary command execution via a malicious `.git/config` setting `core.fsmonitor`. +**Learning:** `subprocess.run(["git", ...])` is not completely safe, even for seemingly innocuous commands like `git diff` or `git rev-parse`. A repository downloaded from an untrusted source might carry a customized configuration that points to an executable bundled with the repository. +**Prevention:** When invoking `git` via `subprocess` against potentially untrusted directories, always apply the configuration `("-c", "core.fsmonitor=false")` (typically defined as `_SAFE_GIT_CONFIG`) directly in the command arguments. diff --git a/src/wardline/core/delta.py b/src/wardline/core/delta.py index c4d63f0e..764c3c47 100644 --- a/src/wardline/core/delta.py +++ b/src/wardline/core/delta.py @@ -11,6 +11,8 @@ if TYPE_CHECKING: from wardline.scanner.index import Entity +_SAFE_GIT_CONFIG = ("-c", "core.fsmonitor=false") + def get_changed_files_since(ref: str, root: Path) -> set[str]: """Get the set of file paths (repo-relative, POSIX-style matching Location.path) @@ -22,7 +24,7 @@ def get_changed_files_since(ref: str, root: Path) -> set[str]: # 1. Get the git toplevel directory. try: res = subprocess.run( - ["git", "rev-parse", "--show-toplevel"], + ["git", *_SAFE_GIT_CONFIG, "rev-parse", "--show-toplevel"], cwd=root, capture_output=True, text=True, @@ -38,7 +40,7 @@ def get_changed_files_since(ref: str, root: Path) -> set[str]: # 2. Resolve ref to a verified object id before passing it to git diff. try: res = subprocess.run( - ["git", "rev-parse", "--verify", "--end-of-options", ref], + ["git", *_SAFE_GIT_CONFIG, "rev-parse", "--verify", "--end-of-options", ref], cwd=git_toplevel, capture_output=True, text=True, @@ -54,7 +56,7 @@ def get_changed_files_since(ref: str, root: Path) -> set[str]: # 3. Get changed files since ref (committed since ref, staged, unstaged). try: res = subprocess.run( - ["git", "diff", "--name-only", verified_ref, "--"], + ["git", *_SAFE_GIT_CONFIG, "diff", "--name-only", verified_ref, "--"], cwd=git_toplevel, capture_output=True, text=True, @@ -68,7 +70,7 @@ def get_changed_files_since(ref: str, root: Path) -> set[str]: # 4. Get untracked files. try: res = subprocess.run( - ["git", "ls-files", "--others", "--exclude-standard"], + ["git", *_SAFE_GIT_CONFIG, "ls-files", "--others", "--exclude-standard"], cwd=git_toplevel, capture_output=True, text=True, diff --git a/src/wardline/core/legis.py b/src/wardline/core/legis.py index 87144974..da94836e 100644 --- a/src/wardline/core/legis.py +++ b/src/wardline/core/legis.py @@ -73,6 +73,8 @@ SCAN_SCOPE_FIELD = "scan_scope" SCAN_SCOPE_SCHEMA = "wardline-legis-scan-scope-1" +_SAFE_GIT_CONFIG = ("-c", "core.fsmonitor=false") + # The one shared vocabulary — legis carries these 8 tiers verbatim (TRUST_TIERS in # legis ingest.py). Sourced from the lattice so the two can never drift. TRUST_TIERS: frozenset[str] = frozenset(t.value for t in TaintState) @@ -199,7 +201,7 @@ def _git_tree_sha(root: Path) -> str | None: """ try: rev = subprocess.run( - ["git", "rev-parse", "HEAD^{tree}"], + ["git", *_SAFE_GIT_CONFIG, "rev-parse", "HEAD^{tree}"], cwd=root, capture_output=True, text=True, @@ -215,7 +217,7 @@ def _git_repo_root(root: Path) -> Path | None: """The containing git repository root, or None when unavailable.""" try: rev = subprocess.run( - ["git", "rev-parse", "--show-toplevel"], + ["git", *_SAFE_GIT_CONFIG, "rev-parse", "--show-toplevel"], cwd=root, capture_output=True, text=True, diff --git a/tests/unit/core/test_delta.py b/tests/unit/core/test_delta.py index 5b16c7af..9d0ca7ba 100644 --- a/tests/unit/core/test_delta.py +++ b/tests/unit/core/test_delta.py @@ -43,8 +43,24 @@ def run_dispatch(args, **kwargs): res = get_changed_files_since("HEAD~1", root) assert res == {"foo.py", "bar.py", "baz.py"} - assert mock_run.call_args_list[1].args[0] == ["git", "rev-parse", "--verify", "--end-of-options", "HEAD~1"] - assert mock_run.call_args_list[2].args[0] == ["git", "diff", "--name-only", "abc123", "--"] + assert mock_run.call_args_list[1].args[0] == [ + "git", + "-c", + "core.fsmonitor=false", + "rev-parse", + "--verify", + "--end-of-options", + "HEAD~1", + ] + assert mock_run.call_args_list[2].args[0] == [ + "git", + "-c", + "core.fsmonitor=false", + "diff", + "--name-only", + "abc123", + "--", + ] @patch("subprocess.run")