Display and pull branches from GitHub pull requests.
npm install -g pullit
or
yarn global add pullit
From within any repo:
pullit
Then simply select a branch to fetch it down and check it out.
Display and pull branches from GitHub pull requests
License: MIT License
I wrote one test and it's bad :( need to add more
Hi @jkup 👋
I'm not sure what's up here, but this is what I saw when I tried pullit
for the first time 😅
Any ideas? At the time, this pull request was open. I was just testing things out to see how it worked. Maybe it doesn't like my color scheme?
It looks like there is an API for it https://developer.github.com/v3/enterprise/
It would be nice to throw human readable errors for every step. Is there a network issue? Can the git url be parsed? Is it even a git project you are in?
At work (and I'd assume in open source), we rely heavily on forking and then merging in changes to the main repo. We then end up having origin
be our fork, rather than the main repo.
I'll open up a PR for this in a minute or so!
I want pullit 123
to check out the SHA but not create a branch for it.
Upfront: Awesome tool, very useful! :)
I just came across this today: I recieved a PR for a repo, and the source branch in the fork was called the same as the target branch in my repository: develop
.
When I tried to pull that PR, I received the following error:
fatal: Refusing to fetch into current branch refs/heads/develop of non-bare repository
Error: Could not find the specified pull request.
Git thinks you want to merge develop
into develop
or something, and refuses to do so.
It seems that would happen quite often, since people often do a quick fork, fix a little thing, commit without creating a new branch and open a PR to the default branch.
Maybe we could simply prepend all branches created by pullit with pullit/
or something? That would have the added benefit of making branches created by pullit easy to spot.
Gitlab support would be nice 😄
Since this ultimately executes commands on the user's system it would be nice to just do basic sanitization so they don't mess anything up.
Like pullit 123
?
I get
Error: could not display pull requests. Please make sure this is a valid repository.
I assume it's because my github repository is private; is there a way to have the utility ask for auth or use existing github auth?
The pullit npm package makes insecure use of shell execution API (i.e: exec()
or execSync()
) which is vulnerable to a malicious user input based on a remote branch name on the GitHub platform, that can be set by a 3rd party, hence luring an innocent user to use the pullit module on the target branch and result in remote command execution exploit.
The pullit project has a set of exec() calls to git commands which may end up in originating from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.
Re-construct of a flow that results in a remote command execution on the user running pullit:
git checkout -b ";{echo,hello,world}>/tmp/c”
/tmp/c
See below for patch to fix the problem:
pullit-security-rce.patch:
diff --git a/src/index.js b/src/index.js
index 3a34831..9bffd0d 100644
--- a/src/index.js
+++ b/src/index.js
@@ -1,7 +1,7 @@
const GitHubApi = require('github');
const Menu = require('terminal-menu');
const {
- execSync
+ execFileSync
} = require('child_process');
const parse = require('parse-github-repo-url');
@@ -12,7 +12,7 @@ class Pullit {
}
init() {
- const url = execSync(`git config --get remote.origin.url`, {
+ const url = execFileSync('git', ['config', '--get', 'remote.origin.url'], {
encoding: 'utf8'
}).trim();
@@ -34,8 +34,11 @@ class Pullit {
})
.then(res => {
const branch = res.data.head.ref;
- execSync(
- `git fetch origin pull/${id}/head:${branch} && git checkout ${branch}`
+ execFileSync(
+ 'git', ['fetch', 'origin', `pull/${id}/head:${branch}`]
+ );
+ execFileSync(
+ 'git', ['checkout', branch]
);
})
.catch(err => {
Cannot run pullit
with error message below:
Error: 'github' has been renamed to '@octokit/rest' (https://git.io/vNB11)
Version: 1.3.0
Currently getting the following error:
$ pullit
Error: could not display pull requests. Please make sure this is a valid repository.
I'm sure this means forking your codebase somehow, but Bitbucket support would be amazing :)
Like pullit push 123
or pullit push 123 -f
, to push directly to the proper remote and branch for that PR?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.