Non-literal format strings and unsafe shell commands in prepare_commit_msg_hook
It seems that the problem was introduced in commit 7adba454.
[171/199] Compiling C object 'gitg/25a9a22@@gitg@exe/meson-generated_commit_gitg-commit-dialog.c.o'.
FAILED: gitg/25a9a22@@gitg@exe/meson-generated_commit_gitg-commit-dialog.c.o
clang -B/home/lantw44/.local/bin -Igitg/25a9a22@@gitg@exe -Igitg -I../../source/gitg/gitg -I. -I../../source/gitg/ -Ilibgitg-ext -I../../source/gitg/libgitg-ext -Ilibgitg -I../../source/gitg/libgitg -I/home/lantw44/gnome/devinstall/include/gobject-introspection-1.0 -I/usr/local/lib/libffi-3.2.1/include -I/home/lantw44/gnome/devinstall/include/glib-2.0 -I/home/lantw44/gnome/devinstall/lib/glib-2.0/include -I/home/lantw44/gnome/devinstall/include/gtksourceview-4 -I/home/lantw44/gnome/devinstall/include/gtk-3.0 -I/home/lantw44/gnome/devinstall/include/pango-1.0 -I/home/lantw44/gnome/devinstall/include/harfbuzz -I/home/lantw44/gnome/devinstall/include/fribidi -I/usr/local/include/freetype2 -I/usr/local/include/libpng16 -I/usr/local/include/uuid -I/home/lantw44/gnome/devinstall/include/cairo -I/home/lantw44/gnome/devinstall/include/pixman-1 -I/usr/local/include/libdrm -I/home/lantw44/gnome/devinstall/include/gdk-pixbuf-2.0 -I/home/lantw44/gnome/devinstall/include/gio-unix-2.0 -I/home/lantw44/gnome/devinstall/include/atk-1.0 -I/home/lantw44/gnome/devinstall/include/at-spi2-atk/2.0 -I/home/lantw44/gnome/devinstall/include/at-spi-2.0 -I/usr/local/include/dbus-1.0 -I/usr/local/lib/dbus-1.0/include -I/usr/local/include/libxml2 -I/home/lantw44/gnome/devinstall/include/gspell-1 -I/home/lantw44/gnome/devinstall/include/enchant-2 -I/home/lantw44/gnome/devinstall/include/gee-0.8 -I/home/lantw44/gnome/devinstall/include/libgit2-glib-1.0 -I/home/lantw44/gnome/devinstall/include/libdazzle-1.0 -I/home/lantw44/gnome/devinstall/include/libpeas-1.0 -I/home/lantw44/gnome/devinstall/include/json-glib-1.0 -Xclang -fcolor-diagnostics -pipe -D_FILE_OFFSET_BITS=64 -w -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="gitg"' -march=corei7 -B/home/lantw44/.local/bin -g3 -Og -gz -Wno-error=format-nonliteral -pthread -DGIT_SSH=1 -D_THREAD_SAFE -Werror=format=2 -Werror=implicit-function-declaration -Werror=init-self -Werror=missing-include-dirs -Werror=missing-prototypes -Werror=pointer-arith -Werror=return-type -Wmissing-declarations -Wnested-externs -Wstrict-prototypes -Wuninitialized '-DDATADIR="/home/lantw44/gnome/devinstall/share"' '-DGITG_DATADIR="/home/lantw44/gnome/devinstall/share/gitg"' '-DGITG_LOCALEDIR="/home/lantw44/gnome/devinstall/share/locale"' -MD -MQ 'gitg/25a9a22@@gitg@exe/meson-generated_commit_gitg-commit-dialog.c.o' -MF 'gitg/25a9a22@@gitg@exe/meson-generated_commit_gitg-commit-dialog.c.o.d' -o 'gitg/25a9a22@@gitg@exe/meson-generated_commit_gitg-commit-dialog.c.o' -c 'gitg/25a9a22@@gitg@exe/commit/gitg-commit-dialog.c'
../../source/gitg/gitg/commit/gitg-commit-dialog.vala:907:32: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
_tmp40_ = g_strdup_printf (_tmp36_, _tmp39_);
^~~~~~~
../../source/gitg/gitg/commit/gitg-commit-dialog.vala:910:32: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
_tmp52_ = g_strdup_printf (_tmp48_, _tmp51_);
^~~~~~~
2 errors generated.
The problem comes from these lines of code:
907 var command = @"echo $commit_msg > %s".printf(file.get_path());
908 Posix.system(command);
909
910 command = @"$hook_name %s $commit_src $commit_sha".printf(file.get_path());
911 Posix.system(command);
A string template is not a string literal. @
should be removed and $variable
should be replaced by %s
. In addition to the format string problem, this code also generates shell commands without quoting arguments, making it vulnerable to shell injection. To generate a shell command safely, arguments should be quoted with g_shell_quote
, so special characters won't break the script.