fix(security): prevent command injection via shell=True (CWE-78)

Replace shell=True with list-based subprocess calls for all git.py
functions that interpolate user-controlled values (tag names, messages,
file paths, git references). This prevents shell injection attacks where
malicious values in pyproject.toml could execute arbitrary commands
during CI/CD runs of 'cz bump'.

Changes:
- cmd.run() now accepts str | Sequence[str]; lists use shell=False
- git.tag() uses list args (fixes primary attack vector)
- git.add() uses list args
- git.commit() uses list args + env= for GIT_COMMITTER_DATE
- git.tag_exist/is_signed_tag/get_tag_message use list args
- git.get_filenames_in_commit() uses list args
- git.get_tags() uses list args
- git._get_log_as_str_list() uses list args

Closes #1918

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: bearomorphism

commitizen/cmd.py

@@ -9,7 +9,7 @@
 from commitizen.exceptions import CharacterSetDecodeError
 
 if TYPE_CHECKING:
-    from collections.abc import Mapping
+    from collections.abc import Mapping, Sequence
 
 
 class Command(NamedTuple):
@@ -35,12 +35,18 @@ def _try_decode(bytes_: bytes) -> str:
         raise CharacterSetDecodeError() from e
 
 
-def run(cmd: str, env: Mapping[str, str] | None = None) -> Command:
+def _popen(
+    cmd: str | Sequence[str],
+    *,
+    shell: bool,
+    env: Mapping[str, str] | None = None,
+) -> Command:
     if env is not None:
         env = {**os.environ, **env}
+
     process = subprocess.Popen(
         cmd,
-        shell=True,
+        shell=shell,
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE,
         stdin=subprocess.PIPE,
@@ -55,3 +61,22 @@ def run(cmd: str, env: Mapping[str, str] | None = None) -> Command:
         stderr,
         return_code,
     )
+
+
+def run(cmd: Sequence[str], env: Mapping[str, str] | None = None) -> Command:
+    """Run a command safely without shell interpretation (shell=False).
+
+    Arguments are passed directly to the OS, preventing shell-injection
+    vulnerabilities (CWE-78).
+    """
+    return _popen(cmd, shell=False, env=env)
+
+
+def run_shell(cmd: str, env: Mapping[str, str] | None = None) -> Command:
+    """Run a command string via the system shell (shell=True).
+
+    Only use this for cases that intentionally require shell features
+    (e.g., user-defined hooks with pipes/redirects). Never pass
+    untrusted/user-controlled values into *cmd*.
+    """
+    return _popen(cmd, shell=True, env=env)

commitizen/commands/init.py

@@ -130,11 +130,12 @@ def __call__(self) -> None:
                     "pre-commit is not installed in current environment."
                 )
 
-            cmd_str = "pre-commit install " + " ".join(
-                f"--hook-type {ty}" for ty in hook_types
-            )
-            c = cmd.run(cmd_str)
+            cmd_args = ["pre-commit", "install"]
+            for ty in hook_types:
+                cmd_args.extend(["--hook-type", ty])
+            c = cmd.run(cmd_args)
             if c.return_code != 0:
+                cmd_str = " ".join(cmd_args)
                 raise InitFailedError(
                     "Failed to install pre-commit hook.\n"
                     f"Error running {cmd_str}."

commitizen/git.py

@@ -19,7 +19,7 @@ class EOLType(Enum):
 
     @classmethod
     def for_open(cls) -> str:
-        c = cmd.run("git config core.eol")
+        c = cmd.run(["git", "config", "core.eol"])
         eol = c.out.strip().upper()
         return cls._char_for_open()[cls._safe_cast(eol)]
 
@@ -164,17 +164,17 @@ def tag(
     tag: str, annotated: bool = False, signed: bool = False, msg: str | None = None
 ) -> cmd.Command:
     if not annotated and not signed:
-        return cmd.run(f"git tag {tag}")
+        return cmd.run(["git", "tag", tag])
 
     # according to https://git-scm.com/book/en/v2/Git-Basics-Tagging,
     # we're not able to create lightweight tag with message.
     # by adding message, we make it a annotated tags
     option = "-s" if signed else "-a"  # The else case is for annotated tags
-    return cmd.run(f'git tag {option} {tag} -m "{msg or tag}"')
+    return cmd.run(["git", "tag", option, tag, "-m", msg or tag])
 
 
 def add(*args: str) -> cmd.Command:
-    return cmd.run(f"git add {' '.join(args)}")
+    return cmd.run(["git", "add", *args])
 
 
 def commit(
@@ -186,20 +186,18 @@ def commit(
     f.write(message.encode("utf-8"))
     f.close()
 
-    command = _create_commit_cmd_string(args, committer_date, f.name)
-    c = cmd.run(command)
-    os.unlink(f.name)
-    return c
+    cmd_args = ["git", "commit"]
+    if args:
+        cmd_args.extend(args.split())
+    cmd_args.extend(["-F", f.name])
 
+    env: dict[str, str] | None = None
+    if committer_date:
+        env = {"GIT_COMMITTER_DATE": committer_date}
 
-def _create_commit_cmd_string(args: str, committer_date: str | None, name: str) -> str:
-    command = f'git commit {args} -F "{name}"'
-    if not committer_date:
-        return command
-    if os.name != "nt":
-        return f"GIT_COMMITTER_DATE={committer_date} {command}"
-    # Using `cmd /v /c "{command}"` sets environment variables only for that command
-    return f'cmd /v /c "set GIT_COMMITTER_DATE={committer_date}&& {command}"'
+    c = cmd.run(cmd_args, env=env)
+    os.unlink(f.name)
+    return c
 
 
 def get_commits(
@@ -226,7 +224,10 @@ def get_filenames_in_commit(git_reference: str = "") -> list[str]:
 
     :returns: file names committed in the last commit by default or inside the passed git reference
     """
-    c = cmd.run(f"git show --name-only --pretty=format: {git_reference}")
+    cmd_args = ["git", "show", "--name-only", "--pretty=format:"]
+    if git_reference:
+        cmd_args.append(git_reference)
+    c = cmd.run(cmd_args)
     if c.return_code == 0:
         return c.out.strip().split("\n")
     raise GitCommandError(c.err)
@@ -237,15 +238,17 @@ def get_tags(
 ) -> list[GitTag]:
     inner_delimiter = "---inner_delimiter---"
     formatter = (
-        f'"%(refname:strip=2){inner_delimiter}'
+        f"%(refname:strip=2){inner_delimiter}"
         f"%(objectname){inner_delimiter}"
         f"%(creatordate:format:{dateformat}){inner_delimiter}"
-        f'%(object)"'
+        f"%(object)"
     )
-    extra = "--merged" if reachable_only else ""
+    cmd_args = ["git", "tag", f"--format={formatter}", "--sort=-creatordate"]
+    if reachable_only:
+        cmd_args.append("--merged")
     # Force the default language for parsing
     env = {"LC_ALL": "C", "LANG": "C", "LANGUAGE": "C"}
-    c = cmd.run(f"git tag --format={formatter} --sort=-creatordate {extra}", env=env)
+    c = cmd.run(cmd_args, env=env)
     if c.return_code != 0:
         if reachable_only and c.err == "fatal: malformed object name HEAD\n":
             # this can happen if there are no commits in the repo yet
@@ -262,55 +265,55 @@ def get_tags(
 
 
 def tag_exist(tag: str) -> bool:
-    c = cmd.run(f"git tag --list {tag}")
+    c = cmd.run(["git", "tag", "--list", tag])
     return tag in c.out
 
 
 def is_signed_tag(tag: str) -> bool:
-    return cmd.run(f"git tag -v {tag}").return_code == 0
+    return cmd.run(["git", "tag", "-v", tag]).return_code == 0
 
 
 def get_latest_tag_name() -> str | None:
-    c = cmd.run("git describe --abbrev=0 --tags")
+    c = cmd.run(["git", "describe", "--abbrev=0", "--tags"])
     if c.err:
         return None
     return c.out.strip()
 
 
 def get_tag_message(tag: str) -> str | None:
-    c = cmd.run(f"git tag -l --format='%(contents:subject)' {tag}")
+    c = cmd.run(["git", "tag", "-l", "--format=%(contents:subject)", tag])
     if c.err:
         return None
     return c.out.strip()
 
 
 def get_tag_names() -> list[str]:
-    c = cmd.run("git tag --list")
+    c = cmd.run(["git", "tag", "--list"])
     if c.err:
         return []
     return [tag for raw in c.out.split("\n") if (tag := raw.strip())]
 
 
 def find_git_project_root() -> Path | None:
-    c = cmd.run("git rev-parse --show-toplevel")
+    c = cmd.run(["git", "rev-parse", "--show-toplevel"])
     if c.err:
         return None
     return Path(c.out.strip())
 
 
 def is_staging_clean() -> bool:
     """Check if staging is clean."""
-    c = cmd.run("git diff --no-ext-diff --cached --name-only")
+    c = cmd.run(["git", "diff", "--no-ext-diff", "--cached", "--name-only"])
     return not bool(c.out)
 
 
 def is_git_project() -> bool:
-    c = cmd.run("git rev-parse --is-inside-work-tree")
+    c = cmd.run(["git", "rev-parse", "--is-inside-work-tree"])
     return c.out.strip() == "true"
 
 
 def get_core_editor() -> str | None:
-    c = cmd.run("git var GIT_EDITOR")
+    c = cmd.run(["git", "var", "GIT_EDITOR"])
     if c.out:
         return c.out.strip()
     return None
@@ -326,16 +329,26 @@ def _get_log_as_str_list(start: str | None, end: str, args: str) -> list[str]:
     delimiter = "----------commit-delimiter----------"
     log_format: str = "%H%n%P%n%s%n%an%n%ae%n%b"
     command_range = f"{start}..{end}" if start else end
-    command = f"git -c log.showSignature=False log --pretty={log_format}{delimiter} {args} {command_range}"
+    cmd_args = [
+        "git",
+        "-c",
+        "log.showSignature=False",
+        "log",
+        f"--pretty={log_format}{delimiter}",
+    ]
+    if args:
+        cmd_args.extend(args.split())
+    if command_range:
+        cmd_args.append(command_range)
 
-    c = cmd.run(command)
+    c = cmd.run(cmd_args)
     if c.return_code != 0:
         raise GitCommandError(c.err)
     return c.out.split(f"{delimiter}\n")
 
 
 def get_default_branch() -> str:
-    c = cmd.run("git symbolic-ref refs/remotes/origin/HEAD")
+    c = cmd.run(["git", "symbolic-ref", "refs/remotes/origin/HEAD"])
     if c.return_code != 0:
         raise GitCommandError(c.err)
     return c.out.strip()

commitizen/hooks.py

@@ -17,7 +17,7 @@ def run(hooks: str | list[str], _env_prefix: str = "CZ_", **env: object) -> None
     for hook in hooks:
         out.info(f"Running hook '{hook}'")
 
-        c = cmd.run(hook, env=_format_env(_env_prefix, env))
+        c = cmd.run_shell(hook, env=_format_env(_env_prefix, env))
 
         if c.out:
             out.write(c.out)

tests/commands/test_bump_command.py

@@ -2,6 +2,7 @@
 
 import inspect
 import re
+from pathlib import Path
 from textwrap import dedent
 from typing import TYPE_CHECKING
 from unittest.mock import call
@@ -28,8 +29,6 @@
 )
 
 if TYPE_CHECKING:
-    from pathlib import Path
-
     from pytest_mock import MockFixture
     from pytest_regressions.file_regression import FileRegressionFixture
 
@@ -64,7 +63,9 @@ def test_bump_minor_increment(commit_msg: str, util: UtilFixture):
     assert git.tag_exist("0.2.0") is True
     assert (
         "commit:refs/tags/0.2.0"
-        in cmd.run('git for-each-ref refs/tags --format "%(objecttype):%(refname)"').out
+        in cmd.run(
+            ["git", "for-each-ref", "refs/tags", "--format", "%(objecttype):%(refname)"]
+        ).out
     )
 
 
@@ -76,7 +77,9 @@ def test_bump_minor_increment_annotated(commit_msg: str, util: UtilFixture):
     assert git.tag_exist("0.2.0") is True
     assert (
         "tag:refs/tags/0.2.0"
-        in cmd.run('git for-each-ref refs/tags --format "%(objecttype):%(refname)"').out
+        in cmd.run(
+            ["git", "for-each-ref", "refs/tags", "--format", "%(objecttype):%(refname)"]
+        ).out
     )
 
     assert git.is_signed_tag("0.2.0") is False
@@ -90,7 +93,9 @@ def test_bump_minor_increment_signed(commit_msg: str, util: UtilFixture):
     assert git.tag_exist("0.2.0") is True
     assert (
         "tag:refs/tags/0.2.0"
-        in cmd.run('git for-each-ref refs/tags --format "%(objecttype):%(refname)"').out
+        in cmd.run(
+            ["git", "for-each-ref", "refs/tags", "--format", "%(objecttype):%(refname)"]
+        ).out
     )
 
     assert git.is_signed_tag("0.2.0") is True
@@ -107,7 +112,9 @@ def test_bump_minor_increment_annotated_config_file(
     assert git.tag_exist("0.2.0") is True
     assert (
         "tag:refs/tags/0.2.0"
-        in cmd.run('git for-each-ref refs/tags --format "%(objecttype):%(refname)"').out
+        in cmd.run(
+            ["git", "for-each-ref", "refs/tags", "--format", "%(objecttype):%(refname)"]
+        ).out
     )
 
     assert git.is_signed_tag("0.2.0") is False
@@ -125,7 +132,9 @@ def test_bump_minor_increment_signed_config_file(
     assert git.tag_exist("0.2.0") is True
     assert (
         "tag:refs/tags/0.2.0"
-        in cmd.run('git for-each-ref refs/tags --format "%(objecttype):%(refname)"').out
+        in cmd.run(
+            ["git", "for-each-ref", "refs/tags", "--format", "%(objecttype):%(refname)"]
+        ).out
     )
 
     assert git.is_signed_tag("0.2.0") is True
@@ -283,10 +292,10 @@ def test_bump_command_prerelease_exact_mode(util: UtilFixture):
 @pytest.mark.usefixtures("tmp_commitizen_project")
 def test_bump_on_git_with_hooks_no_verify_disabled(util: UtilFixture):
     """Bump commit without --no-verify"""
-    cmd.run("mkdir .git/hooks")
+    Path(".git/hooks").mkdir(parents=True, exist_ok=True)
     with open(".git/hooks/pre-commit", "w", encoding="utf-8") as f:
         f.write('#!/usr/bin/env bash\necho "0.1.0"')
-    cmd.run("chmod +x .git/hooks/pre-commit")
+    Path(".git/hooks/pre-commit").chmod(0o755)
 
     # MINOR
     util.create_file_and_commit("feat: new file")
@@ -296,10 +305,10 @@ def test_bump_on_git_with_hooks_no_verify_disabled(util: UtilFixture):
 
 @pytest.mark.usefixtures("tmp_commitizen_project")
 def test_bump_tag_exists_raises_exception(util: UtilFixture):
-    cmd.run("mkdir .git/hooks")
+    Path(".git/hooks").mkdir(parents=True, exist_ok=True)
     with open(".git/hooks/post-commit", "w", encoding="utf-8") as f:
         f.write("#!/usr/bin/env bash\nexit 9")
-    cmd.run("chmod +x .git/hooks/post-commit")
+    Path(".git/hooks/post-commit").chmod(0o755)
 
     # MINOR
     util.create_file_and_commit("feat: new file")
@@ -312,10 +321,10 @@ def test_bump_tag_exists_raises_exception(util: UtilFixture):
 
 @pytest.mark.usefixtures("tmp_commitizen_project")
 def test_bump_on_git_with_hooks_no_verify_enabled(util: UtilFixture):
-    cmd.run("mkdir .git/hooks")
+    Path(".git/hooks").mkdir(parents=True, exist_ok=True)
     with open(".git/hooks/pre-commit", "w", encoding="utf-8") as f:
         f.write('#!/usr/bin/env bash\necho "0.1.0"')
-    cmd.run("chmod +x .git/hooks/pre-commit")
+    Path(".git/hooks/pre-commit").chmod(0o755)
 
     # MINOR
     util.create_file_and_commit("feat: new file")