fix: resolve clone failure when HEAD file exists in repository (#13)

l-qing · web-flow · commit 57773c0c91a6 · 2025-12-24T18:19:02.000+08:00
add -- separator to git show commands to prevent command injection
diff --git a/image/git-init/git/git.go b/image/git-init/git/git.go
@@ -185,7 +185,7 @@ func Fetch(logger *zap.SugaredLogger, spec FetchSpec) error {
 		return fmt.Errorf("error parsing %s after fetching refspec %s", checkoutParam, spec.Refspec)
 	}
 
-	if _, err := run(logger, "", "checkout", "-f", checkoutParam); err != nil {
+	if _, err := run(logger, "", "checkout", "-f", checkoutParam, "--"); err != nil {
 		return err
 	}
 
@@ -208,15 +208,15 @@ func Fetch(logger *zap.SugaredLogger, spec FetchSpec) error {
 
 // ShowCommit calls "git show ..." to get the commit SHA for the given revision
 func ShowCommit(logger *zap.SugaredLogger, revision, path string) (string, error) {
-	output, err := run(logger, path, "show", "-q", "--pretty=format:%H", revision)
+	output, err := run(logger, path, "show", "-q", "--pretty=format:%H", revision, "--")
 	if err != nil {
 		return "", err
 	}
 	return strings.TrimSuffix(output, "\n"), nil
 }
 
 func showRef(logger *zap.SugaredLogger, revision, path string) (string, error) {
-	output, err := run(logger, path, "show", "-q", "--pretty=format:%D", revision)
+	output, err := run(logger, path, "show", "-q", "--pretty=format:%D", revision, "--")
 	if err != nil {
 		return "", err
 	}

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ func Fetch(logger *zap.SugaredLogger, spec FetchSpec) error {`
`185`	`185`	`return fmt.Errorf("error parsing %s after fetching refspec %s", checkoutParam, spec.Refspec)`
`186`	`186`	`}`
`187`	`187`
`188`		`- if _, err := run(logger, "", "checkout", "-f", checkoutParam); err != nil {`
	`188`	`+ if _, err := run(logger, "", "checkout", "-f", checkoutParam, "--"); err != nil {`
`189`	`189`	`return err`
`190`	`190`	`}`
`191`	`191`
`@@ -208,15 +208,15 @@ func Fetch(logger *zap.SugaredLogger, spec FetchSpec) error {`
`208`	`208`
`209`	`209`	`// ShowCommit calls "git show ..." to get the commit SHA for the given revision`
`210`	`210`	`func ShowCommit(logger *zap.SugaredLogger, revision, path string) (string, error) {`
`211`		`- output, err := run(logger, path, "show", "-q", "--pretty=format:%H", revision)`
	`211`	`+ output, err := run(logger, path, "show", "-q", "--pretty=format:%H", revision, "--")`
`212`	`212`	`if err != nil {`
`213`	`213`	`return "", err`
`214`	`214`	`}`
`215`	`215`	`return strings.TrimSuffix(output, "\n"), nil`
`216`	`216`	`}`
`217`	`217`
`218`	`218`	`func showRef(logger *zap.SugaredLogger, revision, path string) (string, error) {`
`219`		`- output, err := run(logger, path, "show", "-q", "--pretty=format:%D", revision)`
	`219`	`+ output, err := run(logger, path, "show", "-q", "--pretty=format:%D", revision, "--")`
`220`	`220`	`if err != nil {`
`221`	`221`	`return "", err`
`222`	`222`	`}`