Refactor git command arguments and make all arguments to be safe to be used (#21535)

Follow #21464 Make all git command arguments strictly safe. Most changes are one-to-one replacing, keep all existing logic.
2025-07-23 10:48:37 +00:00 · 2022-10-23 22:44:45 +08:00
parent 4eeea7b30e
commit dcd9fc7ee8
71 changed files with 425 additions and 391 deletions
--- a/services/repository/check.go
+++ b/services/repository/check.go
@@ -24,7 +24,7 @@ import (
 )

 // GitFsck calls 'git fsck' to check repository health.
-func GitFsck(ctx context.Context, timeout time.Duration, args []string) error {
+func GitFsck(ctx context.Context, timeout time.Duration, args []git.CmdArg) error {
 	log.Trace("Doing: GitFsck")

 	if err := db.Iterate(
@@ -58,9 +58,9 @@ func GitFsck(ctx context.Context, timeout time.Duration, args []string) error {
 }

 // GitGcRepos calls 'git gc' to remove unnecessary files and optimize the local repository
-func GitGcRepos(ctx context.Context, timeout time.Duration, args ...string) error {
+func GitGcRepos(ctx context.Context, timeout time.Duration, args ...git.CmdArg) error {
 	log.Trace("Doing: GitGcRepos")
-	args = append([]string{"gc"}, args...)
+	args = append([]git.CmdArg{"gc"}, args...)

 	if err := db.Iterate(
 		ctx,
--- a/services/repository/files/patch.go
+++ b/services/repository/files/patch.go
@@ -139,7 +139,7 @@ func ApplyDiffPatch(ctx context.Context, repo *repo_model.Repository, doer *user
 	stdout := &strings.Builder{}
 	stderr := &strings.Builder{}

-	args := []string{"apply", "--index", "--recount", "--cached", "--ignore-whitespace", "--whitespace=fix", "--binary"}
+	args := []git.CmdArg{"apply", "--index", "--recount", "--cached", "--ignore-whitespace", "--whitespace=fix", "--binary"}

 	if git.CheckGitVersionAtLeast("2.32") == nil {
 		args = append(args, "-3")
--- a/services/repository/files/temp_repo.go
+++ b/services/repository/files/temp_repo.go
@@ -53,7 +53,7 @@ func (t *TemporaryUploadRepository) Close() {

 // Clone the base repository to our path and set branch as the HEAD
 func (t *TemporaryUploadRepository) Clone(branch string) error {
-	if _, _, err := git.NewCommand(t.ctx, "clone", "-s", "--bare", "-b", branch, t.repo.RepoPath(), t.basePath).RunStdString(nil); err != nil {
+	if _, _, err := git.NewCommand(t.ctx, "clone", "-s", "--bare", "-b").AddDynamicArguments(branch, t.repo.RepoPath(), t.basePath).RunStdString(nil); err != nil {
 		stderr := err.Error()
 		if matched, _ := regexp.MatchString(".*Remote branch .* not found in upstream origin.*", stderr); matched {
 			return git.ErrBranchNotExist{
@@ -104,14 +104,7 @@ func (t *TemporaryUploadRepository) LsFiles(filenames ...string) ([]string, erro
 	stdOut := new(bytes.Buffer)
 	stdErr := new(bytes.Buffer)

-	cmdArgs := []string{"ls-files", "-z", "--"}
-	for _, arg := range filenames {
-		if arg != "" {
-			cmdArgs = append(cmdArgs, arg)
-		}
-	}
-
-	if err := git.NewCommand(t.ctx, cmdArgs...).
+	if err := git.NewCommand(t.ctx, "ls-files", "-z").AddDashesAndList(filenames...).
 		Run(&git.RunOpts{
 			Dir:    t.basePath,
 			Stdout: stdOut,
@@ -177,7 +170,7 @@ func (t *TemporaryUploadRepository) HashObject(content io.Reader) (string, error

 // AddObjectToIndex adds the provided object hash to the index with the provided mode and path
 func (t *TemporaryUploadRepository) AddObjectToIndex(mode, objectHash, objectPath string) error {
-	if _, _, err := git.NewCommand(t.ctx, "update-index", "--add", "--replace", "--cacheinfo", mode, objectHash, objectPath).RunStdString(&git.RunOpts{Dir: t.basePath}); err != nil {
+	if _, _, err := git.NewCommand(t.ctx, "update-index", "--add", "--replace", "--cacheinfo").AddDynamicArguments(mode, objectHash, objectPath).RunStdString(&git.RunOpts{Dir: t.basePath}); err != nil {
 		stderr := err.Error()
 		if matched, _ := regexp.MatchString(".*Invalid path '.*", stderr); matched {
 			return models.ErrFilePathInvalid{
@@ -211,7 +204,7 @@ func (t *TemporaryUploadRepository) GetLastCommitByRef(ref string) (string, erro
 	if ref == "" {
 		ref = "HEAD"
 	}
-	stdout, _, err := git.NewCommand(t.ctx, "rev-parse", ref).RunStdString(&git.RunOpts{Dir: t.basePath})
+	stdout, _, err := git.NewCommand(t.ctx, "rev-parse").AddDynamicArguments(ref).RunStdString(&git.RunOpts{Dir: t.basePath})
 	if err != nil {
 		log.Error("Unable to get last ref for %s in temporary repo: %s(%s): Error: %v", ref, t.repo.FullName(), t.basePath, err)
 		return "", fmt.Errorf("Unable to rev-parse %s in temporary repo for: %s Error: %v", ref, t.repo.FullName(), err)
@@ -241,11 +234,11 @@ func (t *TemporaryUploadRepository) CommitTreeWithDate(parent string, author, co
 	_, _ = messageBytes.WriteString(message)
 	_, _ = messageBytes.WriteString("\n")

-	var args []string
+	var args []git.CmdArg
 	if parent != "" {
-		args = []string{"commit-tree", treeHash, "-p", parent}
+		args = []git.CmdArg{"commit-tree", git.CmdArgCheck(treeHash), "-p", git.CmdArgCheck(parent)}
 	} else {
-		args = []string{"commit-tree", treeHash}
+		args = []git.CmdArg{"commit-tree", git.CmdArgCheck(treeHash)}
 	}

 	var sign bool
@@ -257,7 +250,7 @@ func (t *TemporaryUploadRepository) CommitTreeWithDate(parent string, author, co
 		sign, keyID, signer, _ = asymkey_service.SignInitialCommit(t.ctx, t.repo.RepoPath(), author)
 	}
 	if sign {
-		args = append(args, "-S"+keyID)
+		args = append(args, git.CmdArg("-S"+keyID))
 		if t.repo.GetTrustModel() == repo_model.CommitterTrustModel || t.repo.GetTrustModel() == repo_model.CollaboratorCommitterTrustModel {
 			if committerSig.Name != authorSig.Name || committerSig.Email != authorSig.Email {
 				// Add trailers
--- a/services/repository/files/update.go
+++ b/services/repository/files/update.go
@@ -370,7 +370,7 @@ func CreateOrUpdateRepoFile(ctx context.Context, repo *repo_model.Repository, do
 	if setting.LFS.StartServer && hasOldBranch {
 		// Check there is no way this can return multiple infos
 		filename2attribute2info, err := t.gitRepo.CheckAttribute(git.CheckAttributeOpts{
-			Attributes: []string{"filter"},
+			Attributes: []git.CmdArg{"filter"},
 			Filenames:  []string{treePath},
 			CachedOnly: true,
 		})
--- a/services/repository/files/upload.go
+++ b/services/repository/files/upload.go
@@ -96,7 +96,7 @@ func UploadRepoFiles(ctx context.Context, repo *repo_model.Repository, doer *use
 	var filename2attribute2info map[string]map[string]string
 	if setting.LFS.StartServer {
 		filename2attribute2info, err = t.gitRepo.CheckAttribute(git.CheckAttributeOpts{
-			Attributes: []string{"filter"},
+			Attributes: []git.CmdArg{"filter"},
 			Filenames:  names,
 			CachedOnly: true,
 		})
--- a/services/repository/fork.go
+++ b/services/repository/fork.go
@@ -130,7 +130,7 @@ func ForkRepository(ctx context.Context, doer, owner *user_model.User, opts Fork

 		repoPath := repo_model.RepoPath(owner.Name, repo.Name)
 		if stdout, _, err := git.NewCommand(txCtx,
-			"clone", "--bare", oldRepoPath, repoPath).
+			"clone", "--bare").AddDynamicArguments(oldRepoPath, repoPath).
 			SetDescription(fmt.Sprintf("ForkRepository(git clone): %s to %s", opts.BaseRepo.FullName(), repo.FullName())).
 			RunStdBytes(&git.RunOpts{Timeout: 10 * time.Minute}); err != nil {
 			log.Error("Fork Repository (git clone) Failed for %v (from %v):\nStdout: %s\nError: %v", repo, opts.BaseRepo, stdout, err)