fix: critical security and encoding vulnerabilities

- Fixed command injection vulnerabilities in release scripts
- Enhanced UTF-8 encoding error handling with fallback strategies
- Removed hardcoded credentials from release_uv.py
- Improved git diff encoding with latin-1 fallback
- Sanitized diff content before sending to OpenAI API

Author: Arakiss

commitloom/core/git.py

@@ -258,13 +258,19 @@ def get_diff(files: list[GitFile] | None = None) -> str:
             # Get raw bytes to handle different encodings
             result = subprocess.run(cmd, capture_output=True, check=True)
 
-            # Try to decode with UTF-8 first, fallback to latin-1 with replacement
+            # Try to decode with UTF-8 first, fallback to latin-1 which accepts any byte sequence
             try:
                 return result.stdout.decode('utf-8')
             except UnicodeDecodeError:
-                logger.warning("Failed to decode diff as UTF-8, using fallback encoding")
-                # Use latin-1 which accepts any byte sequence, or replace errors
-                return result.stdout.decode('utf-8', errors='replace')
+                logger.warning("Failed to decode diff as UTF-8, using latin-1 encoding")
+                # latin-1 (ISO-8859-1) accepts any byte sequence (0x00-0xFF)
+                # This ensures we never fail with encoding errors
+                try:
+                    return result.stdout.decode('latin-1')
+                except Exception:
+                    # Ultimate fallback: replace invalid characters
+                    logger.warning("latin-1 decoding also failed, using replacement characters")
+                    return result.stdout.decode('utf-8', errors='replace')
 
         except subprocess.CalledProcessError as e:
             error_msg = e.stderr.decode('utf-8', errors='replace') if e.stderr else str(e)

commitloom/services/ai_service.py

@@ -105,6 +105,17 @@ def token_usage_from_api_usage(cls, usage: dict[str, int]) -> TokenUsage:
 
     def generate_prompt(self, diff: str, changed_files: list[GitFile]) -> str:
         """Generate the prompt for the AI model."""
+        # Ensure diff is properly encoded by cleaning any invalid UTF-8 sequences
+        if isinstance(diff, bytes):
+            diff = diff.decode('utf-8', errors='replace')
+        elif isinstance(diff, str):
+            # Re-encode and decode to ensure clean UTF-8
+            try:
+                diff = diff.encode('utf-8', errors='replace').decode('utf-8')
+            except Exception:
+                # If encoding fails, use original string
+                pass
+
         files_summary = ", ".join(f.path for f in changed_files)
         has_binary = any(f.is_binary for f in changed_files)
         binary_files = ", ".join(f.path for f in changed_files if f.is_binary)

release.py

@@ -26,8 +26,22 @@
     "chore": "🔧 Chores",
 }
 
-def run_command(cmd: str) -> str:
-    return subprocess.check_output(cmd, shell=True).decode().strip()
+def run_command(cmd: str | list[str]) -> str:
+    """Execute a command safely without shell=True.
+
+    Args:
+        cmd: Command as list of arguments (preferred) or string (will attempt to parse)
+
+    Returns:
+        Command output as string
+    """
+    if isinstance(cmd, str):
+        # For simple commands, split by spaces
+        # Note: This won't work for commands with quoted arguments or shell operators
+        # Those commands should be refactored to use list form
+        import shlex
+        cmd = shlex.split(cmd)
+    return subprocess.check_output(cmd, shell=False).decode().strip()
 
 def get_current_version() -> str:
     return run_command("poetry version -s")
@@ -77,11 +91,15 @@ def update_changelog(version: str) -> None:
         content = f.read()
 
     # Get commits since last release
-    last_tag = run_command("git describe --tags --abbrev=0 || echo ''")
+    try:
+        last_tag = run_command(["git", "describe", "--tags", "--abbrev=0"])
+    except subprocess.CalledProcessError:
+        last_tag = ""
+
     if last_tag:
-        raw_commits = run_command(f"git log {last_tag}..HEAD --pretty=format:'%s'").split('\n')
+        raw_commits = run_command(["git", "log", f"{last_tag}..HEAD", "--pretty=format:%s"]).split('\n')
     else:
-        raw_commits = run_command("git log --pretty=format:'%s'").split('\n')
+        raw_commits = run_command(["git", "log", "--pretty=format:%s"]).split('\n')
 
     # Categorize commits
     categorized_commits = categorize_commits(raw_commits)
@@ -117,16 +135,16 @@ def create_github_release(version: str, dry_run: bool = False) -> None:
     tag = f"v{version}"
     if not dry_run:
         # Create and push tag
-        run_command(f'git tag -a {tag} -m "Release {tag}"')
-        run_command("git push origin main --tags")
+        run_command(["git", "tag", "-a", tag, "-m", f"Release {tag}"])
+        run_command(["git", "push", "origin", "main", "--tags"])
         print(f"✅ Created and pushed tag {tag}")
 
         # Create GitHub Release
         github_token = os.getenv("GITHUB_TOKEN")
         if github_token:
             try:
                 # Get repository info from git remote
-                remote_url = run_command("git remote get-url origin")
+                remote_url = run_command(["git", "remote", "get-url", "origin"])
                 repo_path = re.search(r"github\.com[:/](.+?)(?:\.git)?$", remote_url).group(1)
 
                 # Prepare release data
@@ -189,14 +207,14 @@ def create_version_commits(new_version: str) -> None:
     update_init_version(new_version)
 
     # 2. Add both version files and commit
-    run_command('git add pyproject.toml commitloom/__init__.py')
-    run_command(f'git commit -m "build: bump version to {new_version}"')
+    run_command(["git", "add", "pyproject.toml", "commitloom/__init__.py"])
+    run_command(["git", "commit", "-m", f"build: bump version to {new_version}"])
     print("✅ Committed version bump")
 
     # 3. Update changelog
     update_changelog(new_version)
-    run_command('git add CHANGELOG.md')
-    run_command(f'git commit -m "docs: update changelog for {new_version}"')
+    run_command(["git", "add", "CHANGELOG.md"])
+    run_command(["git", "commit", "-m", f"docs: update changelog for {new_version}"])
     print("✅ Committed changelog update")
 
 def main() -> None:
@@ -215,13 +233,13 @@ def main() -> None:
     args = parser.parse_args()
 
     # Ensure we're on main branch
-    current_branch = run_command("git branch --show-current")
+    current_branch = run_command(["git", "branch", "--show-current"])
     if current_branch != "main":
         print("❌ Must be on main branch to release")
         exit(1)
 
     # Ensure working directory is clean
-    if run_command("git status --porcelain"):
+    if run_command(["git", "status", "--porcelain"]):
         print("❌ Working directory is not clean")
         exit(1)
 
@@ -235,7 +253,7 @@ def main() -> None:
         create_version_commits(new_version)
 
         # Push changes
-        run_command("git push origin main")
+        run_command(["git", "push", "origin", "main"])
         print("✅ Pushed changes to main")
 
         # Create GitHub release

release_uv.py

@@ -30,14 +30,26 @@
     "chore": "🔧 Chores",
 }
 
-def run_command(cmd: str, check: bool = True) -> str:
-    """Run a shell command and return output."""
+def run_command(cmd: str | list[str], check: bool = True) -> str:
+    """Run a command safely without shell=True.
+
+    Args:
+        cmd: Command as list of arguments (preferred) or string (will be parsed)
+        check: Whether to raise exception on non-zero exit
+
+    Returns:
+        Command output as string
+    """
+    import shlex
+    if isinstance(cmd, str):
+        cmd = shlex.split(cmd)
+
     try:
-        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=check)
+        result = subprocess.run(cmd, shell=False, capture_output=True, text=True, check=check)
         return result.stdout.strip()
     except subprocess.CalledProcessError as e:
         if check:
-            print(f"❌ Command failed: {cmd}")
+            print(f"❌ Command failed: {' '.join(cmd) if isinstance(cmd, list) else cmd}")
             print(f"   Error: {e.stderr}")
             sys.exit(1)
         return ""
@@ -128,11 +140,15 @@ def update_changelog(version: str) -> None:
     current_date = datetime.now().strftime("%Y-%m-%d")
 
     # Get commits since last tag
-    last_tag = run_command("git describe --tags --abbrev=0 2>/dev/null || echo ''", check=False)
+    try:
+        last_tag = run_command(["git", "describe", "--tags", "--abbrev=0"], check=True)
+    except Exception:
+        last_tag = ""
+
     if last_tag:
-        raw_commits = run_command(f"git log {last_tag}..HEAD --pretty=format:'%s'").split('\n')
+        raw_commits = run_command(["git", "log", f"{last_tag}..HEAD", "--pretty=format:%s"]).split('\n')
     else:
-        raw_commits = run_command("git log --pretty=format:'%s'").split('\n')
+        raw_commits = run_command(["git", "log", "--pretty=format:%s"]).split('\n')
 
     # Categorize commits
     categorized_commits = categorize_commits(raw_commits)
@@ -177,14 +193,14 @@ def create_version_commits(new_version: str) -> None:
     update_version_in_files(new_version)
 
     # Commit version bump
-    run_command('git add pyproject.toml commitloom/__init__.py')
-    run_command(f'git commit -m "build: bump version to {new_version}"')
+    run_command(["git", "add", "pyproject.toml", "commitloom/__init__.py"])
+    run_command(["git", "commit", "-m", f"build: bump version to {new_version}"])
     print("✅ Committed version bump")
 
     # Update changelog
     update_changelog(new_version)
-    run_command('git add CHANGELOG.md')
-    run_command(f'git commit -m "docs: update changelog for {new_version}"')
+    run_command(["git", "add", "CHANGELOG.md"])
+    run_command(["git", "commit", "-m", f"docs: update changelog for {new_version}"])
     print("✅ Committed changelog update")
 
 def get_changelog_entry(version: str) -> str:
@@ -215,22 +231,22 @@ def create_github_release(version: str, dry_run: bool = False) -> None:
     changelog_content = get_changelog_entry(version)
     tag_message = f"Release {tag}\n\n{changelog_content}" if changelog_content else f"Release {tag}"
 
-    run_command(f'git tag -a {tag} -m "{tag_message}"')
+    run_command(["git", "tag", "-a", tag, "-m", tag_message])
     print(f"✅ Created tag {tag}")
 
     # Push commits and tag
-    run_command("git push origin main")
+    run_command(["git", "push", "origin", "main"])
     print("✅ Pushed commits to main")
 
-    run_command("git push origin --tags")
+    run_command(["git", "push", "origin", "--tags"])
     print("✅ Pushed tag to origin")
 
     # Create GitHub Release via API
     github_token = os.getenv("GITHUB_TOKEN")
     if github_token:
         try:
             # Get repository info from git remote
-            remote_url = run_command("git remote get-url origin")
+            remote_url = run_command(["git", "remote", "get-url", "origin"])
             repo_match = re.search(r"github\.com[:/](.+?)(?:\.git)?$", remote_url)
             if not repo_match:
                 print("⚠️ Could not parse GitHub repository from remote URL")
@@ -276,25 +292,24 @@ def create_github_release(version: str, dry_run: bool = False) -> None:
 def check_prerequisites() -> None:
     """Check that we can proceed with release."""
     # Ensure we're on main branch
-    current_branch = run_command("git branch --show-current")
+    current_branch = run_command(["git", "branch", "--show-current"])
     if current_branch != "main":
         print(f"❌ Must be on main branch to release (currently on {current_branch})")
         sys.exit(1)
 
     # Ensure working directory is clean
-    if run_command("git status --porcelain"):
+    if run_command(["git", "status", "--porcelain"]):
         print("❌ Working directory is not clean. Commit or stash changes first.")
         sys.exit(1)
 
     # Ensure git user is configured
-    user_name = run_command("git config user.name", check=False)
-    user_email = run_command("git config user.email", check=False)
+    user_name = run_command(["git", "config", "user.name"], check=False)
+    user_email = run_command(["git", "config", "user.email"], check=False)
     if not user_name or not user_email:
-        print("⚠️ Git user not configured. Setting default values...")
-        if not user_name:
-            run_command('git config user.name "Petru Arakiss"')
-        if not user_email:
-            run_command('git config user.email "petruarakiss@gmail.com"')
+        print("❌ Git user not configured. Please configure git user:")
+        print("   git config user.name 'Your Name'")
+        print("   git config user.email 'your.email@example.com'")
+        sys.exit(1)
 
 def main() -> None:
     parser = argparse.ArgumentParser(
@@ -350,7 +365,7 @@ def main() -> None:
             tag = f"v{new_version}"
             changelog_content = get_changelog_entry(new_version)
             tag_message = f"Release {tag}\n\n{changelog_content}" if changelog_content else f"Release {tag}"
-            run_command(f'git tag -a {tag} -m "{tag_message}"')
+            run_command(["git", "tag", "-a", tag, "-m", tag_message])
             print(f"✅ Created tag {tag}")
             print("ℹ️ Skipped GitHub release (use --skip-github=false to enable)")