fix(ci): suppress Brakeman false positives for the new merge plumbing

commits_between, diff, and merge!'s update-ref call all interpolate branch refs into Open3.capture3 argv, same pattern as the rest of GitRepositoryService already covered in brakeman.ignore — Open3 never invokes a shell, and safe_rev? rejects refs starting with "-" before they reach git.

Seto Elkahfi committed Jul 5, 2026 at 11:57 UTC f5ce9a9cf1e6016e70815a94e392911bbafb85f7
1 file changed +30
config/brakeman.ignore
+30
index ae0aa8c..991e8b3 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -70,6 +70,36 @@ "line": 245, "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated ref is passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." }, + { + "warning_type": "Command Injection", + "warning_code": 14, + "fingerprint": "9569afc8080f4e1e0e4b4b3de400e2695641b30574fbdb0b421d1b41c5224df1", + "check_name": "Execute", + "message": "Possible command injection", + "file": "app/services/git_repository_service.rb", + "line": 269, + "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." + }, + { + "warning_type": "Command Injection", + "warning_code": 14, + "fingerprint": "03f0108aa182ee54b38be945afcbe9c90ffec86500b284510dae38fff5a2d1e0", + "check_name": "Execute", + "message": "Possible command injection", + "file": "app/services/git_repository_service.rb", + "line": 294, + "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base/head refs are passed to git as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." + }, + { + "warning_type": "Command Injection", + "warning_code": 14, + "fingerprint": "405f8ed8c2a9df18ef8591501a996ad3e5ce7fb5eb046c1e1aaddd47e1dc762d", + "check_name": "Execute", + "message": "Possible command injection", + "file": "app/services/git_repository_service.rb", + "line": 336, + "note": "False positive: Open3.capture3 is called with a separate argument list (no shell), so the interpolated base ref reaches `update-ref` as a single literal argv entry and cannot inject shell commands. GitRepositoryService.safe_rev? also rejects any ref/SHA starting with \"-\" before it reaches git, closing the git-argument-injection surface (e.g. a branch of \"--output=...\")." + }, { "warning_type": "Command Injection", "warning_code": 14,