Terrible title, I thought it was a vulnerability in git.
Pull requests are not a feature of git, you probably thought they were?
Yup, pull requests are an invention from git’s servers (I think github came up with that first). The built in way (famously used by the linux kernel) is git-send-email.
GitHub is completely unrelated to git.
git-send-email is not even very similar to a pull request, just tangentially related but very different conceptually.
I never considered branch names to be a vector, but in hindsight it makes total sense when put into a workflow like that. What possibly surprised me even more, was that branch names weren’t limited to basic characters or at least no special signs. I obviously see the case for all the extended characters outside the latin alphabet, such as Chinese characters, but I totally expected restrictions on special symbols like
"
,'
,/
,\
,;
, etc./
is used to separate the same branch in different repos. For exampleorigin/main
andremote/main
. Surprising that the other stuff is legal thoughYou can still freely use
/
in branch names. Having remote branches available asremote/branch
is just a convenience, and you can delete or modify them locally. It’s common to use/
in branch names, too.Okay? I’m well aware. I do so all the time
Where’s the code that doesn’t quote this properly? I’m guessing it’s Bash.
Ding ding ding! We have a winner!
It’s a third-party GitHub Action that is passing the branch name directly to Bash. So to be clear, not GitHub’s fault.
This is why Bobby Tables mom needs her Github account suspended…
On an unrelated note, don’t forget to sanitize your input.
Presumably they picked the repo because it will auto-merge MRs if they pass testing even without human approvals. Glad they caught it and good work to everyone involved, but I’m gonna file this one under my “fuck around, find out” folder.