CVE-2026-31862

The fix for CVE-2026-31862 replaces shell-based execAsync string interpolation with argumentized spawnAsync calls and adds branch/remote validation. This commit introduced a new /publish endpoint that executes `git push --set-upstream ${remoteName} ${branch}` via execAsync, where `branch` comes directly from the authenticated request body. That is exactly the vulnerable pattern the fix later removes from the same endpoint, so this commit introduced one of the command-injection sinks covered by the CVE.

• •Commit 33aea3f7e8499a483d5108328e058c3c7128e108 adds `router.post('/publish', ...)` to `server/routes/git.js`.
• •In that new endpoint, the commit runs `await execAsync(`git push --set-upstream ${remoteName} ${branch}`, { cwd: projectPath })`.
• •`branch` is taken from `req.body` and only checked for equality with the current branch name; there is no sanitization or safe argv-based execution in this commit.
• •Fix commit 86c33c1c0cb34176725a38f46960213714fc3e04 changes this exact endpoint to `validateBranchName(branch)`, `validateRemoteName(remoteName)`, and `spawnAsync('git', ['push', '--set-upstream', remoteName, branch], ...)`, demonstrating this was part of the vulnerability remediation.

The CVE describes a systemic vulnerability where "multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters." This commit (33aea3f7) adds a new `/publish` endpoint that follows the same vulnerable pattern (`execAsync(\`git push --set-upstream ${remoteName} ${branch}\`)`), but the fundamental vulnerability was already pervasive across many pre-existing endpoints (e.g., `/commit`, `/checkout`, `/create-branch`, `/diff`, `/push`, `/pull`, `/fetch`, `/discard`). The fix commit (86c33c1) replaces ALL execAsync calls across the entire file with spawnAsync, confirming this was a systemic issue that predated this commit. While this commit added one more vulnerable endpoint, it did not introduce the vulnerability pattern itself.

• •The fix commit replaces ALL execAsync calls with spawnAsync across the entire git.js file, not just the /publish endpoint added by this commit
• •Before this commit, vulnerable execAsync calls with string interpolation already existed in endpoints like /commit (line 176: `git commit -m "${message}"`), /checkout (line 240: `git checkout "${branch}"`), /diff (line 139: `git diff HEAD -- "${file}"`), /push (line 630: `git push ${remoteName} ${remoteBranch}`), and many others
• •This commit adds one new vulnerable endpoint (/publish with `git push --set-upstream ${remoteName} ${branch}`) following the same pre-existing vulnerable pattern
• •The CVE description says 'multiple Git-related API endpoints' are affected, confirming the systemic nature of the vulnerability that predates this commit

The suspected commit adds a new `/publish` endpoint which uses `execAsync` with string interpolation, making it vulnerable to OS command injection. However, the vulnerability description states that multiple Git-related API endpoints were vulnerable due to user-controlled parameters like `file`, `branch`, `message`, and `commit`. These other vulnerable endpoints (such as `/diff`, `/commit`, `/checkout`) were already present in `server/routes/git.js` prior to this commit. Therefore, this commit merely added another instance of an already existing systemic vulnerability rather than introducing the vulnerability to the codebase.

• •The suspected commit adds a new `/publish` endpoint in `server/routes/git.js` that uses `execAsync` with string interpolation.
• •The vulnerability description mentions that multiple endpoints are vulnerable via parameters like `file`, `branch`, `message`, and `commit`.
• •A search of `server/routes/git.js` at the suspected commit shows that `execAsync` with string interpolation was already being used in multiple other endpoints (e.g., `/diff`, `/commit`, `/checkout`) before this commit.