CloneGit fetches a single git ref into ref.Dest. All user-controlled strings (URL, Ref, SubPath) are passed to git as separate argv entries via exec.Command — they never pass through a shell, so metacharacters in any of them are inert. When ref.Full is true we do a full clone then `git checkout <sh
(ref GitRef)
| 19 | // SubPath, if set, rewrites the destination so the final layout matches the |
| 20 | // requested in-repo subdirectory. |
| 21 | func CloneGit(ref GitRef) error { |
| 22 | if ref.Full { |
| 23 | if err := runGit("clone", "--", ref.URL, ref.Dest); err != nil { |
| 24 | return err |
| 25 | } |
| 26 | // `--` separator prevents a ref starting with `-` from being parsed |
| 27 | // as a flag. Refs are already validated upstream as 40-char hex when |
| 28 | // Full is true, but defense in depth costs nothing. |
| 29 | if err := runGitIn(ref.Dest, "checkout", "--", ref.Ref); err != nil { |
| 30 | return err |
| 31 | } |
| 32 | } else { |
| 33 | if err := runGit("clone", "--depth", "1", "--branch", ref.Ref, "--", ref.URL, ref.Dest); err != nil { |
| 34 | return err |
| 35 | } |
| 36 | } |
| 37 | |
| 38 | if ref.SubPath != "" { |
| 39 | if err := applySubPath(ref.Dest, ref.SubPath); err != nil { |
| 40 | return fmt.Errorf("apply subPath %q: %w", ref.SubPath, err) |
| 41 | } |
| 42 | } |
| 43 | return nil |
| 44 | } |
| 45 | |
| 46 | func runGit(args ...string) error { |
| 47 | return runGitIn("", args...) |
no test coverage detected