Fix shell escaping in getting current env#53335
Merged
ConradIrwin merged 2 commits intomainfrom Apr 8, 2026
Merged
Conversation
cla-bot
bot
added
the
cla-signed
zed-community-bot
bot
added
the
staff
In a few places (notably when getting the current environment) we were not escaping directory names sufficiently. This could allow shell injection if a project contained a specially crafted git submodule. Credit to Dario Weißer for bringing this to our attention.
ConradIrwin
force-pushed
the
shell-escaping-bug
branch
from
3e5e247 to
928a8dc
Compare
agu-z
approved these changes
Apr 8, 2026
Member
Author
|
/cherry-pick preview |
github-actions bot
pushed a commit
that referenced
this pull request
Apr 8, 2026
Credit to Dario Weißer for bringing this to our attention. Self-Review Checklist: - [ ] I've reviewed my own diff for quality, security, and reliability - [ ] Unsafe blocks (if any) have justifying comments - [ ] The content is consistent with the [UI/UX checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) - [ ] Tests cover the new/changed behavior - [ ] Performance impact has been considered and is acceptable Closes #ISSUE Release Notes: - Fixed a bug where a cleverly crafted directory name could lead to remote code execution
5 tasks
zed-zippy bot
added a commit
that referenced
this pull request
Apr 8, 2026
…eview) (#53355) Cherry-pick of #53335 to preview ---- Credit to Dario Weißer for bringing this to our attention. Self-Review Checklist: - [ ] I've reviewed my own diff for quality, security, and reliability - [ ] Unsafe blocks (if any) have justifying comments - [ ] The content is consistent with the [UI/UX checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) - [ ] Tests cover the new/changed behavior - [ ] Performance impact has been considered and is acceptable Closes #ISSUE Release Notes: - Fixed a bug where a cleverly crafted directory name could lead to remote code execution Co-authored-by: Conrad Irwin <conrad.irwin@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Credit to Dario Weißer for bringing this to our attention.
Self-Review Checklist:
Closes #ISSUE
Release Notes: