From a70e7fe742a1f95869ce283996dca9720fa2b28b Mon Sep 17 00:00:00 2001
From: YeonGyu-Kim <code.yeon.gyu@gmail.com>
Date: Wed, 11 Mar 2026 17:07:43 +0900
Subject: [PATCH] test(git-master): cover full git command prefix injection

---
 .../git-master-template-injection.test.ts     | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/src/features/opencode-skill-loader/git-master-template-injection.test.ts b/src/features/opencode-skill-loader/git-master-template-injection.test.ts
index a063eda98..60ea0f0b3 100644
--- a/src/features/opencode-skill-loader/git-master-template-injection.test.ts
+++ b/src/features/opencode-skill-loader/git-master-template-injection.test.ts
@@ -12,6 +12,9 @@ const SAMPLE_TEMPLATE = [
 	"",
 	"```bash",
 	"git status",
+	"git merge-base HEAD main 2>/dev/null || git merge-base HEAD master 2>/dev/null",
+	"MERGE_BASE=$(git merge-base HEAD main)",
+	"GIT_SEQUENCE_EDITOR=: git rebase -i --autosquash $MERGE_BASE",
 	"```",
 	"",
 	"```",
@@ -67,6 +70,18 @@ describe("#given git_env_prefix config", () => {
 		})
 	})
 
+	describe("#when git_env_prefix contains shell metacharacters", () => {
+		it("#then rejects the malicious value", () => {
+			expect(() =>
+				injectGitMasterConfig(SAMPLE_TEMPLATE, {
+					commit_footer: false,
+					include_co_authored_by: false,
+					git_env_prefix: "A=1; rm -rf /",
+				})
+			).toThrow('git_env_prefix must be empty or use shell-safe env assignments like "GIT_MASTER=1"')
+		})
+	})
+
 	describe("#when no config provided", () => {
 		it("#then uses default GIT_MASTER=1 prefix", () => {
 			const result = injectGitMasterConfig(SAMPLE_TEMPLATE)
@@ -91,6 +106,25 @@ describe("#given git_env_prefix with commit footer", () => {
 		})
 	})
 
+	describe("#when the template already contains bare git commands in bash blocks", () => {
+		it("#then prefixes every git invocation in the final output", () => {
+			const result = injectGitMasterConfig(SAMPLE_TEMPLATE, {
+				commit_footer: false,
+				include_co_authored_by: false,
+				git_env_prefix: "GIT_MASTER=1",
+			})
+
+			expect(result).toContain("GIT_MASTER=1 git status")
+			expect(result).toContain(
+				"GIT_MASTER=1 git merge-base HEAD main 2>/dev/null || GIT_MASTER=1 git merge-base HEAD master 2>/dev/null"
+			)
+			expect(result).toContain("MERGE_BASE=$(GIT_MASTER=1 git merge-base HEAD main)")
+			expect(result).toContain(
+				"GIT_SEQUENCE_EDITOR=: GIT_MASTER=1 git rebase -i --autosquash $MERGE_BASE"
+			)
+		})
+	})
+
 	describe("#when env prefix disabled but footer enabled", () => {
 		it("#then commit examples have no env prefix", () => {
 			const result = injectGitMasterConfig(SAMPLE_TEMPLATE, {