Fix regex for CLONE_OPTIONS constant (#1122)

steveukx · web-flow · commit 23b070f0a4d3 · 2026-02-21T18:36:40.000Z
* Fix regex for CLONE_OPTIONS constant Unbounded regexp would catch clone options that should be permitted. Closes #1121 * changeset * Adjust timeout for clone command injection test Increase timeout for clone command injection test. * Update block-unsafe-operations-plugin.ts
diff --git a/.changeset/smooth-otters-deliver.md b/.changeset/smooth-otters-deliver.md
@@ -0,0 +1,7 @@
+---
+"simple-git": patch
+---
+
+Fix regex for detecting unsafe clone options
+
+Thanks to @stevenwdv for reporting this issue.
diff --git a/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts b/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts
@@ -3,7 +3,7 @@ import type { SimpleGitPlugin } from './simple-git-plugin';
 import { GitPluginError } from '../errors/git-plugin-error';
 import type { SimpleGitPluginConfig } from '../types';
 
-const CLONE_OPTIONS = /^\0*(-|--|--no-)[\0\dlsqvnobucj]+/;
+const CLONE_OPTIONS = /^\0*(-|--|--no-)[\0\dlsqvnobucj]+\b/;
 
 function isConfigSwitch(arg: string | unknown) {
    return typeof arg === 'string' && arg.trim().toLowerCase() === '-c';
diff --git a/simple-git/test/integration/plugin.unsafe.spec.ts b/simple-git/test/integration/plugin.unsafe.spec.ts
@@ -70,7 +70,7 @@ describe('plugin.unsafe', () => {
                ),
             );
          }
-      });
+      }, 20000);
 
       it('allows clone command injection: `-u...` pattern', async () => {
          await promiseResult(

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ describe('plugin.unsafe', () => {`
`70`	`70`	`),`
`71`	`71`	`);`
`72`	`72`	`}`
`73`		`- });`
	`73`	`+ }, 20000);`
`74`	`74`
`75`	`75`	it('allows clone command injection: `-u...` pattern', async () => {
`76`	`76`	`await promiseResult(`