test(git-gate): shell-escaping regression tests (issue #159) #167

Closed

didericis-claude wants to merge 2 commits from regression/issue-159-shell-escaping into main

pull from: regression/issue-159-shell-escaping

merge into: didericis:main

didericis:main

didericis:core-coverage-badge

didericis:ratchet-supervise-90

didericis:ratchet-manifest-90

didericis:ratchet-git-gate-90

didericis:ratchet-egress-core-90

didericis:ratchet-yaml-subset-90

didericis:ratchet-egress-addon-90

didericis:cover-global-90

didericis:table-drive-dlp-tests

didericis:flatten-deep-nesting

didericis:decompose-egress-dlp-config

didericis:cover-egress-addon-adapter

didericis:prd-egress-control-plane

didericis:prd-smolmachines-linux

didericis:fix-integration-test-failures

didericis:fix/macos-container-relative-dockerfile

didericis:prd-0054-install-script

didericis:commit-bottle-state

didericis:pr-211

didericis:move-codex-auth-to-contrib

didericis:feat/pipelock-skip-scan-extensions

didericis:prd-0049-named-labelled-agents

didericis:harden-git-gate-shell-rendering

Conversation 0 Commits 2 Files Changed 4

+208 -11

didericis-claude commented 2026-06-03 10:46:42 -04:00

Collaborator

Copy Link

Copy Source

Closes #159.

Related file: ca6d257f30/tests/unit/test_git_gate.py

Summary

• Adds TestShellEscaping class to tests/unit/test_git_gate.py with 6 new test methods
• Covers all six pathological character classes (single-quote, double-quote, space, semicolon, newline, backtick) in both upstream URL and name positions
• Validates each rendered output via sh -n to confirm syntactic correctness
• Asserts original values are preserved verbatim via shlex.quote encoding
• Adds sh -n smoke tests for the static pre-receive and access-hook scripts

Changes (1 commit)

• ca6d257 test(git-gate): add shell-escaping regression tests (issue #159)

Closes #159. Related file: https://gitea.dideric.is/didericis/bot-bottle/src/commit/ca6d257f30c1102df6bff7d6370d0cc2ec9bd1a0/tests/unit/test_git_gate.py ## Summary - Adds `TestShellEscaping` class to `tests/unit/test_git_gate.py` with 6 new test methods - Covers all six pathological character classes (single-quote, double-quote, space, semicolon, newline, backtick) in both upstream URL and name positions - Validates each rendered output via `sh -n` to confirm syntactic correctness - Asserts original values are preserved verbatim via `shlex.quote` encoding - Adds `sh -n` smoke tests for the static pre-receive and access-hook scripts ## Changes (1 commit) - `ca6d257` test(git-gate): add shell-escaping regression tests (issue #159)

didericis changed target branch from harden-git-gate-shell-rendering to main 2026-06-03 10:50:10 -04:00

didericis added 2 commits 2026-06-03 10:50:10 -04:00

fix(security): harden git_gate.py shell rendering with shlex.quote and name validation ... c4903c368a

Use shlex.quote() on name and upstream_url in git_gate_render_entrypoint()
so special characters (single quotes, spaces, semicolons) cannot break or
inject into the generated sh script.

Add _GIT_NAME_RE validation in GitEntry.from_repos_entry() to restrict
repo names to [A-Za-z0-9._-]+, making the manifest the first line of
defence and shlex.quote() the belt-and-suspenders backstop.

Closes #155

test(git-gate): add shell-escaping regression tests (issue #159) ... 87b4c6d943

Cover all six pathological character classes (single-quote,
double-quote, space, semicolon, newline, backtick) in both
upstream URL and name positions.  Each case validates rendered
output via `sh -n` and asserts the original value is preserved
verbatim after shlex.quote encoding.  Also add `sh -n` smoke
tests for the static pre-receive and access-hook scripts.

didericis-claude closed this pull request 2026-06-03 10:52:23 -04:00

didericis-claude deleted branch regression/issue-159-shell-escaping 2026-06-03 10:52:24 -04:00

didericis-claude reopened this pull request 2026-06-03 10:55:36 -04:00

didericis-claude closed this pull request 2026-06-03 10:57:24 -04:00

Some checks are pending

Hide all checks

test / unit (pull_request) Successful in 53s

Details

test / integration (pull_request) Successful in 59s

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: didericis/bot-bottle#167