🛡️ Sentinel: [HIGH] Fix Git argument injection

[xbmc4lyfe]

🚨 Severity: HIGH
💡 Vulnerability: Untrusted branch and base names fetched from remote sources were passed directly to git commands without validation. If these names start with a hyphen (e.g., -o), they can be interpreted as arguments by git, leading to command injection vulnerabilities.
🎯 Impact: An attacker who can control branch names on a remote repository could execute arbitrary arguments against the underlying git command, potentially leading to information disclosure, arbitrary code execution, or denial of service depending on the arguments injected.
🔧 Fix: Added validation in _checkout_branch and _rebase_onto_base to check if branch or base strings start with a hyphen, and raise a CommandError if they do.
✅ Verification: Ran syntax checks and the test suite.

---

PR created automatically by Jules for task 12719901167017156289 started by @xbmc4lyfe

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c9a77a2e-c42e-4025-94c6-3eceee72ad19

📥 Commits

Reviewing files that changed from the base of the PR and between 7b35ed2 and d76e2a6.

📒 Files selected for processing (2)

• .jules/sentinel.md
• ralph_loop/git_ops.py

📜 Recent review details

🔇 Additional comments (2)

ralph_loop/git_ops.py (1)

41-42: LGTM!

Also applies to: 138-141

.jules/sentinel.md (1)

1-4: LGTM!

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Enhanced validation of Git branch and base names to prevent argument injection vulnerabilities. Invalid names starting with hyphens are now rejected early, preventing them from being passed directly to Git commands.

• Documentation

  • Added comprehensive security documentation describing Git argument injection vulnerabilities and recommended validation practices for untrusted input.

Walkthrough

This PR addresses a Git argument injection vulnerability by adding input validation to reject untrusted branch and base names that start with "-", and documents the vulnerability in a sentinel advisory.

Changes

Git Argument Injection Prevention

Layer / File(s)	Summary
Input validation in git operations ralph_loop/git_ops.py	_checkout_branch and _rebase_onto_base validate that branch and base arguments do not start with "-" before passing them to git commands, raising CommandError early for invalid inputs.
Vulnerability documentation .jules/sentinel.md	A new sentinel entry (dated 2026-05-29) documents the Git argument injection vulnerability and recommends validating remote branch/base names before use in git commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A hyphen tried to slip through git's door,
But validation caught it at the core.
Branch names checked before they're set free,
No arguments flow where they shouldn't be! 🛡️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references a Git argument injection fix, which aligns with the main security vulnerability being addressed in the changeset.
Description check	✅ Passed	The description comprehensively explains the security vulnerability, its impact, and the fix applied, all of which directly relate to the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-git-argument-injection-12719901167017156289

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch sentinel/fix-git-argument-injection-12719901167017156289

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d76e2a6cd9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Validate branch before worktree fetch

In the normal single-PR path I inspected, main() calls _ensure_pr_worktree(... branch=branch) before _rebase_onto_base, and _ensure_pr_worktree immediately calls _fetch_pr_branch_or_head, which runs git fetch origin <branch>. git fetch -h shows refspecs are parsed after options (git fetch [<options>] [<repository> [<refspec>...]]) and supports options such as -o/--server-option, so a PR head named like -o... still reaches git as an option before this new guard can fire. Move/centralize branch validation at PR metadata/worktree entry, or make the first fetch use an unambiguous full refspec/option terminator, so the first mutating git command is protected.

Useful? React with 👍 / 👎.