dep: update github.com/gogs/git-module to v1.8.4 (#7872)

Fixes https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg by including https://github.com/gogs/git-module/pull/110
2026-05-07 10:17:29 +02:00 · 2024-12-22 16:37:51 -05:00
parent ce51a8e538
commit 2b0f129a91
5 changed files with 12 additions and 8 deletions
--- a/internal/db/release.go
+++ b/internal/db/release.go
@@ -125,8 +125,8 @@ func createTag(gitRepo *git.Repository, r *Release) error {
 				return fmt.Errorf("get branch commit: %v", err)
 			}

-			// Trim '--' prefix to prevent command line argument vulnerability.
-			r.TagName = strings.TrimPrefix(r.TagName, "--")
+			// 🚨 SECURITY: Trim any leading '-' to prevent command line argument injection.
+			r.TagName = strings.TrimLeft(r.TagName, "-")
 			if err = gitRepo.CreateTag(r.TagName, commit.ID.String()); err != nil {
 				if strings.Contains(err.Error(), "is not a valid tag name") {
 					return ErrInvalidTagName{r.TagName}
--- a/internal/db/repo_editor.go
+++ b/internal/db/repo_editor.go
@@ -243,7 +243,7 @@ func (repo *Repository) GetDiffPreview(branch, treePath, content string) (diff *
 		return nil, fmt.Errorf("write file: %v", err)
 	}

-	// 🚨 SECURITY: Prevent including unintended options in the path to the git command.
+	// 🚨 SECURITY: Prevent including unintended options in the path to the Git command.
 	cmd := exec.Command("git", "diff", "--end-of-options", treePath)
 	cmd.Dir = localPath
 	cmd.Stderr = os.Stderr