Skip to content

security: fix improper string trimming via xargs#4

Merged
RodrigoEspinosa merged 1 commit intomasterfrom
fix-xargs-trimming-vulnerability-12604021998042316267
Apr 10, 2026
Merged

security: fix improper string trimming via xargs#4
RodrigoEspinosa merged 1 commit intomasterfrom
fix-xargs-trimming-vulnerability-12604021998042316267

Conversation

@RodrigoEspinosa
Copy link
Copy Markdown
Owner

@RodrigoEspinosa RodrigoEspinosa commented Apr 10, 2026

The bin/wt script used xargs to trim whitespace from the branch name extracted from a DELETE: selection. However, xargs interprets quotes by default, causing it to fail with "unmatched single quote" if the branch name contains a single quote (which is valid in git).

I've replaced this with read -r branch <<< "$branch", which uses the Bash read builtin's default behavior of trimming leading/trailing whitespace without interpreting any characters in the string. This is both more secure and more efficient as it's a shell builtin.

Verified the fix by testing the logic with branch names containing single quotes and whitespace.

PR created automatically by Jules for task 12604021998042316267 started by @RodrigoEspinosa

@google-labs-jules @RodrigoEspinosa
🔒 [security] Fix improper string trimming via xargs
3b17fa5 
The use of `xargs` to trim whitespace from branch names was vulnerable to failure when the branch name contained a single quote (e.g., `branch'quote`). In such cases, `xargs` would exit with an "unmatched single quote" error, preventing the deletion of the worktree.

This commit replaces `xargs` with the Bash builtin `read -r`, which safely trims leading and trailing whitespace without interpreting quotes or other special characters.

🎯 **What:** Replaced `xargs` for string trimming in `bin/wt`.
⚠️ **Risk:** Branch names with single quotes would cause `wt` to fail during deletion actions.
🛡️ **Solution:** Use `read -r branch <<< "$branch"` for robust whitespace trimming.

Co-authored-by: RodrigoEspinosa <1685621+RodrigoEspinosa@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules bot commented Apr 10, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@RodrigoEspinosa RodrigoEspinosa changed the title 🔒 [security] Fix improper string trimming via xargs security: fix improper string trimming via xargs Apr 10, 2026
@RodrigoEspinosa RodrigoEspinosa merged commit 649f188 into master Apr 10, 2026
@RodrigoEspinosa RodrigoEspinosa deleted the fix-xargs-trimming-vulnerability-12604021998042316267 branch April 10, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RodrigoEspinosa