From fd06723f72874764c265fca73478d563d0bc554d Mon Sep 17 00:00:00 2001
From: Silberengel <silberengel7@protonmail.com>
Date: Thu, 19 Feb 2026 16:52:12 +0100
Subject: [PATCH] security fixes

Nostr-Signature: a16b9538d6ce6ce2f1030042a4106534e2af1583642315893cc56d9f2e7cd385 573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc 0be95c5f2d720c008b52a1d38cef9952b1a615ecd3ef34b5b373266a2afb880e30347d3ee467b4ea42eca4a0e57808f98795ada878357ad39ca1a3063d6b6a22
---
 nostr/commit-signatures.jsonl           |  1 +
 nostr/events-kind-1.jsonl               |  3 +++
 src/routes/api/git/[...path]/+server.ts | 10 ++++++----
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/nostr/commit-signatures.jsonl b/nostr/commit-signatures.jsonl
index 3c5f7f9..9fa6480 100644
--- a/nostr/commit-signatures.jsonl
+++ b/nostr/commit-signatures.jsonl
@@ -1,3 +1,4 @@
 {"kind":1640,"pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","created_at":1771497264,"tags":[["author","Silberengel","silberengel7@protonmail.com"],["message","update docs"]],"content":"Signed commit: update docs","id":"5a14564a2b82b3b4ee4e21d28e7b362cc82e3c27eac38691c85f46480b100cf1","sig":"d1369aff4db39f61aba5f0954c0c8ba92df4aec96f1fab7cc5af51d1b0667734f35dec99363290de2c248b7074369f592b238b1b66987e09f267062073167131"}
 {"kind":1640,"pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","created_at":1771497680,"tags":[["author","Silberengel","silberengel7@protonmail.com"],["message","validate signatures"]],"content":"Signed commit: validate signatures","id":"47edd2e8cbea27854a429202ddfb3fde3531a355276c619258bc90c4d6ce54cc","sig":"a941abf1d2c8e7dae4d5b4d6424c2e5394b05c98898d88b7acc1501cd6d8d3d13aea8be8d797dcb0701f752a32bf72a3b02f3c814707e10ed18d6d24f11d8ae0"}
 {"kind":1640,"pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","created_at":1771502215,"tags":[["author","Silberengel","silberengel7@protonmail.com"],["message","added push-all to the cli\nimplement black theme\nimplement swagger API docs"]],"content":"Signed commit: added push-all to the cli\nimplement black theme\nimplement swagger API docs","id":"c15ce3d2f1ae613492802533a7e71b96df919a2ff52d501630c6ee64abf6a718","sig":"ba72d348528a2846c5e44474af821e79fcdb377caa0d905ae7e7fc9115b77ea92f65325a8f0000f83467983068f643ecf3beaca784666d361a8883160ae3a936"}
+{"kind":1640,"pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","created_at":1771513666,"tags":[["author","Silberengel","silberengel7@protonmail.com"],["message","setup separate repos"]],"content":"Signed commit: setup separate repos","id":"62fa7c667e07791d898d0af8971165a57df5a061585e4a71447e52f7444dc687","sig":"25ef4575b03248381920985338e0ff4605f0af3fcaf8615d7906e3e116e3fbb64de3f3927f511fd45340e7dbdc4a2c3ea7fa150e5e9c75a6b5880cecaa4d2851"}
diff --git a/nostr/events-kind-1.jsonl b/nostr/events-kind-1.jsonl
index 2d51a28..63d1347 100644
--- a/nostr/events-kind-1.jsonl
+++ b/nostr/events-kind-1.jsonl
@@ -14,3 +14,6 @@
 {"kind":1,"created_at":1771513431,"tags":[["client","gitrepublic-cli"]],"content":"Published from gitrepublic CLI.","pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","id":"d8584d4c8acf886a8d6bbd4426364e4a4aeefcfb6cb0a6ed1424c1dfb1faabc8","sig":"246f2c15c26ce811a6ecda27d3a48e6e82a27de232752187795aca46b01ae158e1d24e2902fe65201f47224b16905d71abdd20ff5846fd0fd6ae8f1ecf6bc52e"}
 {"kind":1,"created_at":1771513536,"tags":[["client","gitrepublic-cli"]],"content":"Published from gitrepublic CLI.","pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","id":"70eff91c6f1842c2e8de975ee8286c2da9cbf1c00d61a886c37340ed2511912b","sig":"9a20af5c64b6092f44f58a8e2814a3a79da5fe9770397927e86b3f8fa100a24061388274530014dcbc26b4672c33a88792cd0a52c6926ef08e11ccef7d0fcffe"}
 {"kind":1,"created_at":1771513628,"tags":[["client","gitrepublic-cli"]],"content":"Published from gitrepublic CLI.","pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","id":"8b5565bf6d15f8e0ed551fd42fe1ae3c7edf02a6053d1b52aad379c63d609b27","sig":"ac513f9262e69c5b51a92efa4ebd49806f3af8db2621cb4aaf97a9b4c6bb270e8ea8d2f20e03471b3834433699e68477ce7e7fc7e8787137440f38656c5314f7"}
+{"kind":1,"created_at":1771514350,"tags":[["client","gitrepublic-cli"]],"content":"After refactor","pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","id":"fb1dc615ba763665868d9c99ee1c3dc332e4628e527879b74c80e4ef567a4c6f","sig":"f17c7815431b16d0273524d37e66f0ccf93c7107cd931fe8fe3c2ab3a3421cb82c07c165efeccea5bfa927ff000087ab503ee4669f1324a3acee74b2c51786e7"}
+{"kind":1,"created_at":1771514466,"tags":[["client","gitrepublic-cli"]],"content":"After refactor","pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","id":"55c904f2a2b03363f456cb3fcacf3a3e37fe42119228f1c221bcf45ff55746fc","sig":"40a7840007c4b4d538be853f22ae431296bd01929d25a3110508a6f601648c7a4b1f60cebf77bd58632edaf903a47f736ef145ae83d40947532636215f3edee3"}
+{"kind":1,"created_at":1771514648,"tags":[["client","gitrepublic-cli"]],"content":"After refactor","pubkey":"573634b648634cbad10f2451776089ea21090d9407f715e83c577b4611ae6edc","id":"1f450a0aa75cdfded2452febd6b389a22e18fc55054a67a7792ade5fbccdf821","sig":"b1eab9ad0a04694c465c22141b28d841badec8bf220a1fb2bd1dcfb24e47d1fbdd1eaa46d8916c7c9d7c703e5e44dd117092c7ae6949d4a7e2736711112958dd"}
diff --git a/src/routes/api/git/[...path]/+server.ts b/src/routes/api/git/[...path]/+server.ts
index 8014d92..d4a1817 100644
--- a/src/routes/api/git/[...path]/+server.ts
+++ b/src/routes/api/git/[...path]/+server.ts
@@ -249,9 +249,10 @@ export const GET: RequestHandler = async ({ params, url, request }) => {
   // Even with GIT_HTTP_EXPORT_ALL=1, the repository config must allow it
   if (service === 'git-receive-pack') {
     try {
-      const { execSync } = await import('child_process');
+      // Security: Use spawnSync with argument arrays instead of execSync
+      const { spawnSync } = await import('child_process');
       // Set http.receivepack to true if not already set
-      execSync('git config http.receivepack true', { 
+      spawnSync('git', ['config', 'http.receivepack', 'true'], { 
         cwd: resolvedPath,
         stdio: 'ignore',
         timeout: 5000
@@ -636,9 +637,10 @@ export const POST: RequestHandler = async ({ params, url, request }) => {
   // Even with GIT_HTTP_EXPORT_ALL=1, the repository config must allow it
   if (gitPath === 'git-receive-pack' || path.includes('git-receive-pack')) {
     try {
-      const { execSync } = await import('child_process');
+      // Security: Use spawnSync with argument arrays instead of execSync
+      const { spawnSync } = await import('child_process');
       // Set http.receivepack to true if not already set
-      execSync('git config http.receivepack true', { 
+      spawnSync('git', ['config', 'http.receivepack', 'true'], { 
         cwd: resolvedPath,
         stdio: 'ignore',
         timeout: 5000