fix(security): harden verifier command execution#3
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b05111e5df
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| await this.execService.executeCommand(command); | ||
| await this.execService.executeFile( | ||
| 'git', | ||
| ['-c', 'advice.detachedHead=false', 'checkout', '--detach', ref], |
There was a problem hiding this comment.
For source snapshots whose rev names a non-default branch (for example the feature/repro-build ref accepted by the new tests), a normal git clone only creates a local branch for the default branch and leaves other branches under origin/…; git checkout --detach feature/repro-build then invokes Git's remote-branch guessing, which fails because --detach is incompatible with creating the guessed tracking branch. This regresses branch-based snapshots that the old git checkout <ref> script could check out, so those contracts now fail pre-verification/IPFS checkout even though the parser still accepts the ref.
Useful? React with 👍 / 👎.
1 participant
Summary
nearand Git shell-string calls with argument-basedexecFile(..., shell: false).networkId, NEAR account IDs, source snapshot URLs, and full 40-character commit SHA pins before executing verifier or Git commands.Validation
node:22-alpine, repo mounted read-only then copied inside):npm ci --ignore-scripts --no-audit --no-fundnpm run buildnpm test -- --runInBandnpx eslint "{src,apps,libs,test}/**/*.ts"git diff --check