diff mbox series

[AUH,1/2] git: use temp file for commit message to avoid shell escaping issues

Message ID 20260525080418.942183-1-daniel.turull@ericsson.com
State New
Headers show
Series [AUH,1/2] git: use temp file for commit message to avoid shell escaping issues | expand

Commit Message

Daniel Turull May 25, 2026, 8:04 a.m. UTC 
From: Daniel Turull <daniel.turull@ericsson.com>

Passing the commit message via -m "..." interpolates it directly into
a shell command, causing a syntax error when the message contains special
characters such as backticks, double quotes, or shell metacharacters.

Use a temporary file with -F instead, which bypasses shell interpretation
entirely.

AI-Generated: kiro with claude-opus-4.6 model
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 modules/utils/git.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

Comments

Richard Purdie May 25, 2026, 8:53 a.m. UTC | #1 
On Mon, 2026-05-25 at 10:04 +0200, Daniel Turull via lists.yoctoproject.org wrote:
> From: Daniel Turull <daniel.turull@ericsson.com>
> 
> Passing the commit message via -m "..." interpolates it directly into
> a shell command, causing a syntax error when the message contains special
> characters such as backticks, double quotes, or shell metacharacters.
> 
> Use a temporary file with -F instead, which bypasses shell interpretation
> entirely.
> 
> AI-Generated: kiro with claude-opus-4.6 model
> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
> ---
>  modules/utils/git.py | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
> 
> diff --git a/modules/utils/git.py b/modules/utils/git.py
> index b383049..b732cdb 100644
> --- a/modules/utils/git.py
> +++ b/modules/utils/git.py
> @@ -54,10 +54,17 @@ class Git(object):
>          return self._cmd("add " + src)
>  
>      def commit(self, commit_message, author=None):
> -        if author is None:
> -            return self._cmd("commit -a -s -m \"" + commit_message + "\"")
> -        else:
> -            return self._cmd("commit -a --author=\"" + author + "\" -m \"" + commit_message + "\"")
> +        import tempfile
> +        with tempfile.NamedTemporaryFile(mode='w', suffix='.txt', delete=False) as f:
> +            f.write(commit_message)
> +            tmp = f.name
> +        try:
> +            if author is None:
> +                return self._cmd("commit -a -s -F " + tmp)
> +            else:
> +                return self._cmd("commit -a --author=\"" + author + "\" -F " + tmp)
> +        finally:
> +            os.unlink(tmp)
> 


Why delete=False and then the try/finally?

Cheers,

Richard
Daniel Turull May 25, 2026, 10:46 a.m. UTC | #2 
Hi,
thanks for the quick review.

I assumed _cmd had to be called after the "with" block, so I used delete=False to keep the file on disk after it was closed after the with block.
Moving _cmd inside the with block with a f.flush() is simpler.

I'll send a v2.

Cheers,
Daniel
diff mbox series

Patch

diff --git a/modules/utils/git.py b/modules/utils/git.py
index b383049..b732cdb 100644
--- a/modules/utils/git.py
+++ b/modules/utils/git.py
@@ -54,10 +54,17 @@  class Git(object):
         return self._cmd("add " + src)
 
     def commit(self, commit_message, author=None):
-        if author is None:
-            return self._cmd("commit -a -s -m \"" + commit_message + "\"")
-        else:
-            return self._cmd("commit -a --author=\"" + author + "\" -m \"" + commit_message + "\"")
+        import tempfile
+        with tempfile.NamedTemporaryFile(mode='w', suffix='.txt', delete=False) as f:
+            f.write(commit_message)
+            tmp = f.name
+        try:
+            if author is None:
+                return self._cmd("commit -a -s -F " + tmp)
+            else:
+                return self._cmd("commit -a --author=\"" + author + "\" -F " + tmp)
+        finally:
+            os.unlink(tmp)
 
     def revert(self, commit):
         return self._cmd("revert --no-edit " + commit)