From 2449548294b008c492c57e466514ca05689923d9 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Mon, 11 May 2026 17:43:01 -0700 Subject: [PATCH 1/4] fix(backend): opt in to simple-git unsafe categories present in env MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit simple-git 3.36.0 (upgrade for CVE-2026-6951) now throws when the parent process environment contains values it considers unsafe — most commonly PAGER and EDITOR from the operator's shell, but also legit operator-set values like GIT_SSH_COMMAND for deploy keys. This broke git clone/fetch out of the box. Parse process.env once at module load with @simple-git/argv-parser, derive an `unsafe` flag map from whatever categories are present, and pass it to simpleGit(). When any are detected, emit a warn log listing the categories and messages along with a link to simple-git's unsafe actions doc so operators can see what's being trusted. Co-Authored-By: Claude Opus 4.7 (1M context) --- packages/backend/src/git.ts | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/packages/backend/src/git.ts b/packages/backend/src/git.ts index 523143538..282e8ccb0 100644 --- a/packages/backend/src/git.ts +++ b/packages/backend/src/git.ts @@ -3,11 +3,31 @@ import { existsSync } from 'node:fs'; import { mkdir } from 'node:fs/promises'; import { dirname, resolve } from 'node:path'; import { CheckRepoActions, GitConfigScope, simpleGit, SimpleGitProgressEvent } from 'simple-git'; +import { parseEnv } from '@simple-git/argv-parser'; type onProgressFn = (event: SimpleGitProgressEvent) => void; const logger = createLogger('git-utils'); +/** + * simple-git blocks certain env vars (e.g., GIT_SSH_COMMAND, GIT_ASKPASS, etc.) + * by default to prevent common git vulnerabilities by throwing a exception. To + * maintain backwards compatibility, we opt to permit these env vars but raise a + * warning message s.t., system admins are aware. + */ +const { vulnerabilities: envVulnerabilities } = parseEnv(process.env); +const unsafe = Object.fromEntries( + envVulnerabilities.map(v => [v.category, true] as const) +); + +if (envVulnerabilities.length > 0) { + const details = envVulnerabilities.map(v => ` - ${v.category}: ${v.message}`).join('\n'); + logger.warn( + `Opting in to unsafe simple-git categories based on inherited environment:\n${details}\n` + + `See https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md` + ); +} + /** * Creates a simple-git client that has it's working directory * set to the given path. @@ -22,6 +42,7 @@ const createGitClientForPath = (path: string, onProgress?: onProgressFn, signal? const git = simpleGit({ progress: onProgress, abort: signal, + unsafe, }) .env({ ...process.env, From 9e8ea95f3c8473e8c491015729959164cca3350a Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Mon, 11 May 2026 17:43:29 -0700 Subject: [PATCH 2/4] update CHANGELOG Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2395dd8d4..1682e6e06 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Upgraded `hono` to `^4.12.18` to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186) - Upgraded `ip-address` to `^10.2.0` to address CVE-2026-42338. [#1189](https://github.com/sourcebot-dev/sourcebot/pull/1189) - Upgraded `fast-xml-builder` to `^1.2.0` to address CVE-2026-44664, CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184) +- Fixed git operations failing when the host environment contains values that `simple-git`'s new safety checks flag (e.g., `PAGER`, `EDITOR`, `GIT_SSH_COMMAND`). [#1193](https://github.com/sourcebot-dev/sourcebot/pull/1193) ### Changed - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179) From 41939450d1be7a6a5e2f8dcdea5948420e1606f5 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Mon, 11 May 2026 17:47:51 -0700 Subject: [PATCH 3/4] changelog & nit --- CHANGELOG.md | 4 +++- packages/backend/src/git.ts | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1682e6e06..0bba31fa6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,11 +15,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Upgraded `hono` to `^4.12.18` to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186) - Upgraded `ip-address` to `^10.2.0` to address CVE-2026-42338. [#1189](https://github.com/sourcebot-dev/sourcebot/pull/1189) - Upgraded `fast-xml-builder` to `^1.2.0` to address CVE-2026-44664, CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184) -- Fixed git operations failing when the host environment contains values that `simple-git`'s new safety checks flag (e.g., `PAGER`, `EDITOR`, `GIT_SSH_COMMAND`). [#1193](https://github.com/sourcebot-dev/sourcebot/pull/1193) ### Changed - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179) +### Added +- Added warning message that fires on startup when host environment contains env vars that simple-git flags unsafe. [#1193](https://github.com/sourcebot-dev/sourcebot/pull/1193) + ## [4.17.1] - 2026-05-04 ### Added diff --git a/packages/backend/src/git.ts b/packages/backend/src/git.ts index 282e8ccb0..c803d18d6 100644 --- a/packages/backend/src/git.ts +++ b/packages/backend/src/git.ts @@ -14,6 +14,8 @@ const logger = createLogger('git-utils'); * by default to prevent common git vulnerabilities by throwing a exception. To * maintain backwards compatibility, we opt to permit these env vars but raise a * warning message s.t., system admins are aware. + * + * @see https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md */ const { vulnerabilities: envVulnerabilities } = parseEnv(process.env); const unsafe = Object.fromEntries( From f833c4cf918ba9ab88c6710d9ab05458642f5f5b Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Mon, 11 May 2026 17:58:20 -0700 Subject: [PATCH 4/4] changelog --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bba31fa6..ffbd64f1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added +- Added warning message that fires on startup when host environment contains env vars that simple-git flags as unsafe. [#1193](https://github.com/sourcebot-dev/sourcebot/pull/1193) + ### Fixed - Add missing schema changes introduced in [#1170](https://github.com/sourcebot-dev/sourcebot/pull/1170). [#1176](https://github.com/sourcebot-dev/sourcebot/pull/1176) - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178) @@ -19,9 +22,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179) -### Added -- Added warning message that fires on startup when host environment contains env vars that simple-git flags unsafe. [#1193](https://github.com/sourcebot-dev/sourcebot/pull/1193) - ## [4.17.1] - 2026-05-04 ### Added