From db96050800ab1eca4054c9f36918da8dba0832b4 Mon Sep 17 00:00:00 2001 From: Aonan Guan Date: Mon, 29 Dec 2025 15:33:42 -0800 Subject: [PATCH] git: improve file path validation in add operation Use Git CLI directly instead of GitPython index API to ensure proper path validation and prevent option injection. The '--' separator ensures file paths starting with '-' are handled correctly. --- src/git/src/mcp_server_git/server.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/git/src/mcp_server_git/server.py b/src/git/src/mcp_server_git/server.py index 58d8178d..1d0298b4 100644 --- a/src/git/src/mcp_server_git/server.py +++ b/src/git/src/mcp_server_git/server.py @@ -132,7 +132,8 @@ def git_add(repo: git.Repo, files: list[str]) -> str: if files == ["."]: repo.git.add(".") else: - repo.index.add(files) + # Use '--' to prevent files starting with '-' from being interpreted as options + repo.git.add("--", *files) return "Files staged successfully" def git_reset(repo: git.Repo) -> str: