Title: Security: Command injection via shell=True in git command execution (CWE-78) · Issue #1918 · commitizen-tools/commitizen · GitHub
Open Graph Title: Security: Command injection via shell=True in git command execution (CWE-78) · Issue #1918 · commitizen-tools/commitizen
X Title: Security: Command injection via shell=True in git command execution (CWE-78) · Issue #1918 · commitizen-tools/commitizen
Description: Summary commitizen uses subprocess.Popen(cmd, shell=True) in commitizen/cmd.py to execute all git commands. Multiple functions in commitizen/git.py construct shell commands by interpolating values via f-strings without escaping. Affected...
Open Graph Description: Summary commitizen uses subprocess.Popen(cmd, shell=True) in commitizen/cmd.py to execute all git commands. Multiple functions in commitizen/git.py construct shell commands by interpolating values ...
X Description: Summary commitizen uses subprocess.Popen(cmd, shell=True) in commitizen/cmd.py to execute all git commands. Multiple functions in commitizen/git.py construct shell commands by interpolating values ...
Mail addresses
hypery11@gmail.com
Opengraph URL: https://github.com/commitizen-tools/commitizen/issues/1918
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Security: Command injection via shell=True in git command execution (CWE-78)","articleBody":"## Summary\n\ncommitizen uses `subprocess.Popen(cmd, shell=True)` in `commitizen/cmd.py` to execute all git commands. Multiple functions in `commitizen/git.py` construct shell commands by interpolating values via f-strings without escaping.\n\n## Affected Code\n\n`commitizen/cmd.py` lines 41-43:\n```python\nprocess = subprocess.Popen(cmd, shell=True, ...)\n```\n\n`commitizen/git.py` line 173:\n```python\nreturn cmd.run(f'git tag {option} {tag} -m \"{msg or tag}\"')\n```\n\n`commitizen/git.py` line 167:\n```python\nreturn cmd.run(f\"git tag {tag}\")\n```\n\n`commitizen/git.py` line 177:\n```python\nreturn cmd.run(f\"git add {' '.join(args)}\")\n```\n\n## Attack Vector\n\nAn attacker poisons `pyproject.toml` (e.g., via PR) with:\n```toml\n[tool.commitizen]\nannotated_tag = true\nannotated_tag_message = 'Release\" \u0026\u0026 malicious_command \u0026\u0026 echo \"'\n```\n\nWhen CI/CD runs `cz bump`, the shell interprets the injected command.\n\n## Impact\n\n- Arbitrary command execution in CI/CD pipelines\n- CVSS 3.1: 7.8 (High)\n- Similar to CVE-2026-33718 (OpenHands command injection via git operations)\n\n## Suggested Fix\n\nReplace `shell=True` with list-based subprocess, or use `shlex.quote()`:\n```python\nsubprocess.run([\"git\", \"tag\", option, tag, \"-m\", msg or tag])\n```\n\n---\nReported by: Tom Chen (hypery11@gmail.com)","author":{"url":"https://github.com/hypery11","@type":"Person","name":"hypery11"},"datePublished":"2026-03-31T11:32:40.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/1918/commitizen/issues/1918"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:24f3e971-7416-9fc2-e6af-25f00621f041 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C652:7DC64:555F2C:7C3C66:6A4E092F |
| html-safe-nonce | 89a6611750bbd275f0a217e2c975d4f2044884d2a638e8acda08ba24e0bf7d22 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDNjUyOjdEQzY0OjU1NUYyQzo3QzNDNjY6NkE0RTA5MkYiLCJ2aXNpdG9yX2lkIjoiMTQ3ODAzNjI5Mjg4MDk1OTc5MSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 9bc213c4a4664a2f7db8cfad839e984a282bb0023cd727fc5579c118762e8c5c |
| hovercard-subject-tag | issue:4178364727 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/commitizen-tools/commitizen/1918/issue_layout |
| twitter:image | https://opengraph.githubassets.com/f3a1adecb9a794374ea12e5891aa52014f5e1c4740172fae088931d84383e360/commitizen-tools/commitizen/issues/1918 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/f3a1adecb9a794374ea12e5891aa52014f5e1c4740172fae088931d84383e360/commitizen-tools/commitizen/issues/1918 |
| og:image:alt | Summary commitizen uses subprocess.Popen(cmd, shell=True) in commitizen/cmd.py to execute all git commands. Multiple functions in commitizen/git.py construct shell commands by interpolating values ... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | hypery11 |
| hostname | github.com |
| expected-hostname | github.com |
| None | df0492960db29b4938cb72070351d6b1d0c6c0767b27ceb8394bbf4fcc0223c6 |
| turbo-cache-control | no-preview |
| go-import | github.com/commitizen-tools/commitizen git https://github.com/commitizen-tools/commitizen.git |
| octolytics-dimension-user_id | 62252524 |
| octolytics-dimension-user_login | commitizen-tools |
| octolytics-dimension-repository_id | 106127589 |
| octolytics-dimension-repository_nwo | commitizen-tools/commitizen |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 106127589 |
| octolytics-dimension-repository_network_root_nwo | commitizen-tools/commitizen |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 51470c353b8a1f52a88d3e3cc2014b17ab8cc1ce |
| ui-target | canary-2 |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width