fix: Honor disallow_shell in SSH client feature check

EliahKagan · EliahKagan · commit a445b72fcdbb · 2025-01-26T09:55:41.000-05:00
When running an SSH client, the `disallow_shell` option determines
whether the client command, before arguments, is to be run directly
or if it is to be run by a shell.

(One example of when it is run directly is if it comes from the
`GIT_SSH` environment variable, while one example of when it is run
by a shell is if it comes from the `GIT_SSH_COMMAND` environment
variable.)

When invoking the client in the most central and common case of
actually attempting to connect to a remote server, `disallow_shell`
was already followed. However, in some cases we are not sure what
kind of SSH client program we have, and so to find that out (so we
know how to run it to connect to a server), we run a test command,
to see if it recognizes `-G` as OpenSSH clients do. Often we can
tell what kind of client program we have without needing to do
that. But if we do need to do it, we pre-run the client to check.
In this use, the `disallow_shell` option was not followed, and
instead the use of a shell was unconditionally treated as allowed.

This fixes that by setting `prepare.use_shell = false` on a
constructed `gix_command::Prepare` instance, which seems to be the
prevailing style for achieving this elsewhere in `gix-transport`.
diff --git a/gix-transport/src/client/blocking_io/ssh/mod.rs b/gix-transport/src/client/blocking_io/ssh/mod.rs
@@ -111,8 +111,8 @@ pub fn connect(
     let ssh_cmd = options.ssh_command();
     let mut kind = options.kind.unwrap_or_else(|| ProgramKind::from(ssh_cmd));
     if options.kind.is_none() && kind == ProgramKind::Simple {
-        let mut cmd = std::process::Command::from(
-            gix_command::prepare(ssh_cmd)
+        let mut cmd = std::process::Command::from({
+            let mut prepare = gix_command::prepare(ssh_cmd)
                 .stderr(Stdio::null())
                 .stdout(Stdio::null())
                 .stdin(Stdio::null())
@@ -122,8 +122,12 @@ pub fn connect(
                     Usable(host) => host,
                     Dangerous(host) => Err(Error::AmbiguousHostName { host: host.into() })?,
                     Absent => panic!("BUG: host should always be present in SSH URLs"),
-                }),
-        );
+                });
+            if options.disallow_shell {
+                prepare.use_shell = false;
+            }
+            prepare
+        });
         gix_features::trace::debug!(cmd = ?cmd, "invoking `ssh` for feature check");
         kind = if cmd.status().ok().is_some_and(|status| status.success()) {
             ProgramKind::Ssh
