fix(native): suppress git hooks during apply cancel#123
Draft
cursor[bot] wants to merge 1 commit into
Draft
Conversation
Co-authored-by: cooper <czxtm@users.noreply.github.com>
Contributor
📋 PR Overview
|
Contributor
|
Could be wrong and a lot of things were merged since but this command was unused and flagged for removal in my now outdated tauri-api cleanup PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a native apply-cancel security gap where
darwin_apply_stream_cancelused rawgitinvocations instead of nixmac's hardened git wrapper. A malicious or compromised config repository could run Git hooks during cancel operations (checkout/commit) despite the rest of nixmac disabling hooks viacore.hooksPath=/dev/null.Changes:
git::run_commandhelper that preserves nixmac's fixed git identity and hook suppression.pre-commithook and verifies nixmac git commands do not run it.Test Plan
rustfmt --edition 2021 src/git/exec.rs src/git/mod.rs src/commands/apply.rsgit diff --check HEAD~1..HEADpre-commithook, then committed with nixmac's hardened git arguments and verifiedhook-ranwas not created.cargo test git::exec::tests::test_run_command_disables_repo_hookswith Cargo 1.83: blocked by an edition-2024 dependency parser error.cargo +stable test git::exec::tests::test_run_command_disables_repo_hooks: compilation progressed but failed before crate tests because the Linux runner lacksgdk-3.0/gdk-3.0.pcrequired by Tauri/Wry.Docs