Review Comments Addressed

nasareeny · nasareeny · commit 6086a6a1f634 · 2026-03-27T12:57:33.000+05:30
diff --git a/get_git.go b/get_git.go
@@ -174,11 +174,36 @@ func (g *GitGetter) GetFile(dst string, u *url.URL) error {
 }
 
 func (g *GitGetter) checkout(ctx context.Context, dst string, ref string) error {
-	cmd := exec.CommandContext(ctx, "git", "checkout", ref, "--")
+	resolvedRef, err := resolveCheckoutRef(ctx, dst, ref)
+	if err != nil {
+		return err
+	}
+
+	cmd := exec.CommandContext(ctx, "git", "checkout", resolvedRef)
 	cmd.Dir = dst
 	return getRunCommand(cmd)
 }
 
+func resolveCheckoutRef(ctx context.Context, dst, ref string) (string, error) {
+	candidates := []string{
+		ref,
+		"refs/remotes/origin/" + ref,
+		"refs/tags/" + ref,
+	}
+
+	for _, candidate := range candidates {
+		cmd := exec.CommandContext(ctx, "git", "rev-parse", "--verify", "--quiet", "--end-of-options", candidate+"^{commit}")
+		cmd.Dir = dst
+
+		resolvedRef, err := cmd.Output()
+		if err == nil {
+			return strings.TrimSpace(string(resolvedRef)), nil
+		}
+	}
+
+	return "", fmt.Errorf("invalid ref: %q", ref)
+}
+
 // gitCommitIDRegex is a pattern intended to match strings that seem
 // "likely to be" git commit IDs, rather than named refs. This cannot be
 // an exact decision because it's valid to name a branch or tag after a series
diff --git a/get_git_test.go b/get_git_test.go
@@ -432,6 +432,34 @@ func TestGitGetter_tag(t *testing.T) {
 	}
 }
 
+func TestGitGetter_checkoutRefOptionInjectionRejected(t *testing.T) {
+	if !testHasGit {
+		t.Skip("git not found, skipping")
+	}
+
+	g := new(GitGetter)
+	repo := testGitRepo(t, "empty-repo")
+	repo.git("config", "commit.gpgsign", "false")
+	repo.commitFile("safe.txt", "safe")
+
+	secretPath := filepath.Join(t.TempDir(), "secret.txt")
+	secretLine := "THIS_IS_A_SECRET"
+	if err := os.WriteFile(secretPath, []byte(secretLine+"\n"), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	err := g.checkout(context.Background(), repo.dir, "--pathspec-from-file="+secretPath)
+	if err == nil {
+		t.Fatal("checkout succeeded; want error")
+	}
+	if !strings.Contains(err.Error(), "invalid ref") {
+		t.Fatalf("expected invalid ref error, got: %s", err)
+	}
+	if strings.Contains(err.Error(), secretLine) {
+		t.Fatalf("secret leaked in error message:\n%s", err.Error())
+	}
+}
+
 func TestGitGetter_GetFile(t *testing.T) {
 	if !testHasGit {
 		t.Skip("git not found, skipping")
