fix(ci): suppress Brakeman false positives for the new merge plumbing
commits_between, diff, and merge!'s update-ref call all interpolate branch refs into Open3.capture3 argv, same pattern as the rest of GitRepositoryService already covered in brakeman.ignore — Open3 never invokes a shell, and safe_rev? rejects refs starting with "-" before they reach git.
Seto Elkahfi committed
Jul 5, 2026 at 11:57 UTC
f5ce9a9cf1e6016e70815a94e392911bbafb85f7
1 file changed
+30
config/brakeman.ignore
+30
index ae0aa8c..991e8b3 100644
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@@ -70,6 +70,36 @@
"line": 245,
"note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
},
+ {
+ "warning_type": "Command Injection",
+ "warning_code": 14,
+ "fingerprint": "9569afc8080f4e1e0e4b4b3de400e2695641b30574fbdb0b421d1b41c5224df1",
+ "check_name": "Execute",
+ "message": "Possible command injection",
+ "file": "app/services/git_repository_service.rb",
+ "line": 269,
+ "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
+ },
+ {
+ "warning_type": "Command Injection",
+ "warning_code": 14,
+ "fingerprint": "03f0108aa182ee54b38be945afcbe9c90ffec86500b284510dae38fff5a2d1e0",
+ "check_name": "Execute",
+ "message": "Possible command injection",
+ "file": "app/services/git_repository_service.rb",
+ "line": 294,
+ "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
+ },
+ {
+ "warning_type": "Command Injection",
+ "warning_code": 14,
+ "fingerprint": "405f8ed8c2a9df18ef8591501a996ad3e5ce7fb5eb046c1e1aaddd47e1dc762d",
+ "check_name": "Execute",
+ "message": "Possible command injection",
+ "file": "app/services/git_repository_service.rb",
+ "line": 336,
+ "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base ref reaches `update-ref` as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")."
+ },
{
"warning_type": "Command Injection",
"warning_code": 14,