Add --receive-pack parameter to the list of blocked dangerous git parameters
in validateGitUrl function. This parameter, like --upload-pack, can be used
to execute arbitrary binaries and poses a security risk.
Changes:
- Use array for dangerous params check (better maintainability)
- Use test.each for data-driven tests (covers all params)
Address Node.js execFileAsync limitation where null bytes in command arguments
cause execution to fail. Implement proper separation between Git format strings
and JavaScript parsing logic.
Changes:
- Separate Git format separator (%x00) from JavaScript parsing separator (\x00)
- Add GIT_LOG_FORMAT_SEPARATOR constant for Git command formatting
- Maintain GIT_LOG_RECORD_SEPARATOR for JavaScript string parsing
- Add comprehensive test coverage for git log functionality
- Support cross-platform line endings (CRLF/LF) in git log parsing
- Add gitLogHandle.test.ts with 13 test cases covering various scenarios
This resolves the "string without null bytes" error while maintaining
flexibility for custom separators and ensuring robust git log processing
across different platforms and git configurations.
Updated git command tests to expect the new `--` separators that were added
for security to prevent argument injection attacks. The tests now properly
validate the enhanced command arguments in execGitShallowClone and execLsRemote.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
