Skip to content

Security: Zayan-Mohamed/gitwiz

Security

SECURITY.md

Security Policy

Security Features

GitWizard is built with security as a top priority. Here's how we prevent common vulnerabilities:

1. Command Injection Prevention

Problem: Malicious input in commit messages could execute arbitrary commands.

Solution: We use exec.Command() with separate arguments rather than shell string concatenation:

// [OK] SECURE (GitWizard implementation)
exec.Command("git", "commit", "-m", userMessage)

// [X] INSECURE (what we DON'T do)
exec.Command("sh", "-c", "git commit -m '"+userMessage+"'")

Why this matters: Even if a user enters '; rm -rf /' as a commit message, it will be treated as literal text, not executable code.

2. Argument Injection Prevention

Problem: User input starting with hyphens could be interpreted as git flags.

Solution: We pass user input strictly as value arguments, never as flags. Git correctly interprets our arguments because we use separate argument passing.

3. Input Sanitization

  • Email Validation: Email addresses scraped from git log are validated with regex before display
  • Control Character Stripping: Non-printable characters are removed to prevent terminal corruption
  • Timeout Protection: All external commands have a 2-second timeout to prevent hanging

4. Data Gathering Concurrency

  • Git operations run in goroutines to prevent UI freezing
  • Errors are captured and logged without crashing the program
  • Graceful degradation when data is unavailable

Reporting Vulnerabilities

If you discover a security vulnerability in GitWizard, please report it by:

  1. Email: itsm.zayan@gmail.com
  2. GitHub Security Advisory: Use the "Security" tab to create a private security advisory

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

We will respond within 48 hours and work to address the issue promptly.

Supported Versions

Version Supported
main

Security Best Practices for Users

  1. Keep Go Updated: Use the latest stable version of Go
  2. Verify Builds: Build from source if security is critical
  3. Review Code: GitWizard is open source - review the code before using
  4. Report Issues: If you see suspicious behavior, report it immediately

Dependencies

GitWizard uses the following dependencies:

  • github.com/charmbracelet/huh - TUI forms
  • github.com/charmbracelet/bubbletea - TUI framework
  • github.com/spf13/viper - Configuration management
  • golang.design/x/clipboard - Clipboard access

We regularly update dependencies to address security vulnerabilities.

There aren’t any published security advisories