Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

bug: Git commit messages with a backticks will execute as a command (`security`)

See original GitHub issue

Context

During a default install of husky, when i have a commit message with a back ticks, it will execute the command between the 2 back tickets and add it to the commit message, this could lead to accidental deletion:

git commit -m "what `ls -lh`"
git log
commit bcdd487bce3fc31cde8124e861208c4f0a571a46 (HEAD -> main)
Author: Michael Brewer <foo@loo.com>
Date:   Wed Jan 12 01:54:34 2022 -0800

    what total 16
    drwxr-xr-x  5 michaelbrewer  staff   160B Jan 12 01:52 node_modules
    -rw-r--r--  1 michaelbrewer  staff   902B Jan 12 01:52 package-lock.json
    -rw-r--r--  1 michaelbrewer  staff   136B Jan 12 01:54 package.json

Husky: ^7.0.4 git: 2.34.1 os: macos

Steps to reproduce

# Create blank new repo
mkdir foo
cd foo
git init

# Install and setup husky
npm install husky --save-dev
npm set-script prepare "husky install"
npm set-script test "echo 'cool cool cool'"
npm run prepare
npx husky add .husky/pre-commit "npm test"

# Use ` in a commit message and check the git log
git add package.json
git commit -m "x `ls`"
git log

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

4reactions
trasherdkcommented, Jan 13, 2022

Well, it’s a feature. Not a bug 😃 Command-Substitution You can have your commit message contain variables and output from a script.

Use single-quote ' around your commit message to avoid.

2reactions
r1mcommented, Jan 31, 2022

ok, typo in the message. but still newfile is not shown in the listing. That proves the command is not executed during the git log but during the message creation.

Anyway, not an husky issue

Read more comments on GitHub >

github_iconTop Results From Across the Web

Backticks in Git Commit Messages - Joel Clermont
Recently I wanted to have backticks in my git commit message. It didn't work as expected though.
Read more >
Backticks in git commit message - Stack Overflow
TLDR: Use single quotes: $ git commit -m 'Changed function name `sum` to `sum_list`'. Using backticks is a way to tell the shell...
Read more >
Write joyous git commit messages - Joshua Tauberer - Medium
We'll start with the basic structure of a commit message. Every git commit message should have the same first three lines: Describe the...
Read more >
Dockerfile reference - Docker Documentation
The RUN instruction will execute any commands in a new layer on top of the current image and commit the results. The resulting...
Read more >
FAQ - Screwdriver Guide
How do I run my pipeline when commits made from inside a build are pushed to my git repository? Why do my pull...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Add support to skip install when CI=true

Next page

'husky install' fails on a Serverless deploy because there is no .git folder