From b7d48ebcc45ae75c5f36f09d6bc8e3682661a731 Mon Sep 17 00:00:00 2001 From: toddlerer <74579078+toddlerer@users.noreply.github.com> Date: Sun, 17 May 2026 03:54:51 +0900 Subject: [PATCH] git: Disable log.showSignature for internal commands (#55708) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-Review Checklist: - [x] I've reviewed my own diff for quality, security, and reliability - [x] Unsafe blocks (if any) have justifying comments - [x] The content is consistent with the [UI/UX checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) - [x] Tests cover the new/changed behavior - [x] Performance impact has been considered and is acceptable Closes #53604. When `log.showSignature = true`, git prepends signature verification lines to stdout before the `--format` output. The null-separated parsers in `crates/git/src/repository.rs` weren't expecting that, so SHAs ended up corrupted — the git graph detail panel showed "0 changed files" for every commit, and file history was similarly broken. Setting `-c log.showSignature=false` in `build_command` is the same trick we already use for `core.fsmonitor`. It only affects log/show/whatchanged, so other commands aren't touched. Verified locally with an SSH-signed repo: before this change the detail panel said "0 changed files"; after, the modified files show up correctly. Release Notes: - git_graph: Fix breakage that occurs when `log.showSignature` is enabled --------- Co-authored-by: Anthony Eid --- crates/git/src/repository.rs | 49 ++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/crates/git/src/repository.rs b/crates/git/src/repository.rs index ae3172fd128..320fe2e5bf5 100644 --- a/crates/git/src/repository.rs +++ b/crates/git/src/repository.rs @@ -3415,8 +3415,12 @@ impl GitBinary { { let mut command = new_command(&self.git_binary_path); command.current_dir(&self.working_directory); + // Disabled to stop malicious actors from running arbitrary commands via fsmonitor hooks command.args(["-c", "core.fsmonitor=false"]); + // Prepended signature lines would corrupt our --format parsers. + command.args(["-c", "log.showSignature=false"]); command.arg("--no-optional-locks"); + // Internal commands must be non-interactive so background tasks never block on user input. command.arg("--no-pager"); if !self.is_trusted { @@ -3814,6 +3818,51 @@ mod tests { ); } + #[gpui::test] + async fn test_build_command_disables_log_show_signature(cx: &mut TestAppContext) { + cx.executor().allow_parking(); + let dir = tempfile::tempdir().unwrap(); + git2::Repository::init(dir.path()).unwrap(); + + let git = GitBinary::new( + PathBuf::from("git"), + dir.path().to_path_buf(), + dir.path().join(".git"), + cx.executor(), + true, + ); + let output = git + .build_command(&["config", "--get", "log.showSignature"]) + .output() + .await + .expect("git config should run"); + let stdout = String::from_utf8_lossy(&output.stdout); + assert_eq!( + stdout.trim(), + "false", + "log.showSignature should be disabled for trusted repos" + ); + + let git = GitBinary::new( + PathBuf::from("git"), + dir.path().to_path_buf(), + dir.path().join(".git"), + cx.executor(), + false, + ); + let output = git + .build_command(&["config", "--get", "log.showSignature"]) + .output() + .await + .expect("git config should run"); + let stdout = String::from_utf8_lossy(&output.stdout); + assert_eq!( + stdout.trim(), + "false", + "log.showSignature should be disabled for untrusted repos" + ); + } + #[gpui::test] async fn test_path_for_index_id_uses_real_git_directory(cx: &mut TestAppContext) { cx.executor().allow_parking();