Fix: Prevent code execution when cloning untrusted repositories (Vibe Kanban) (#1564)

* Done. All three git commands now have security protections:

**Changes made to `crates/remote/src/github_app/service.rs`:**

1. **Clone** (line 284): Added `-c core.hooksPath=/dev/null`, `-c core.autocrlf=false`, `-c core.symlinks=false` flags plus environment variables

2. **Fetch** (line 318): Added `-c core.hooksPath=/dev/null` flag plus environment variables

3. **Checkout** (line 349): Added `-c core.hooksPath=/dev/null` flag plus environment variables

**Security protections now in place:**
- `core.hooksPath=/dev/null` - Disables all git hooks
- `core.symlinks=false` - Prevents symlink attacks (on clone)
- `core.autocrlf=false` - Prevents line ending manipulation (on clone)
- `GIT_CONFIG_GLOBAL=/dev/null` - Ignores global git config
- `GIT_CONFIG_SYSTEM=/dev/null` - Ignores system git config
- `GIT_TERMINAL_PROMPT=0` - Prevents credential prompts

The repository cloning is now safe for untrusted repositories.

* Cleanup script changes for task attempt 8324c5ea-8505-49a7-a9f3-dfeb2d83cf54

crates/remote/src/github_app/service.rs

@@ -280,9 +280,24 @@ impl GitHubAppService {
 
         debug!(owner, repo, head_sha, "Cloning repository");
 
-        // Clone the repository
+        // Clone the repository with security flags to prevent code execution from untrusted repos
         let output = Command::new("git")
-            .args(["clone", "--depth", "1", &clone_url, "."])
+            .args([
+                "-c",
+                "core.hooksPath=/dev/null",
+                "-c",
+                "core.autocrlf=false",
+                "-c",
+                "core.symlinks=false",
+                "clone",
+                "--depth",
+                "1",
+                &clone_url,
+                ".",
+            ])
+            .env("GIT_CONFIG_GLOBAL", "/dev/null")
+            .env("GIT_CONFIG_SYSTEM", "/dev/null")
+            .env("GIT_TERMINAL_PROMPT", "0")
             .current_dir(temp_dir.path())
             .output()
             .await
@@ -305,7 +320,18 @@ impl GitHubAppService {
 
         // Fetch the specific commit (in case it's not in shallow clone)
         let output = Command::new("git")
-            .args(["fetch", "--depth", "1", "origin", head_sha])
+            .args([
+                "-c",
+                "core.hooksPath=/dev/null",
+                "fetch",
+                "--depth",
+                "1",
+                "origin",
+                head_sha,
+            ])
+            .env("GIT_CONFIG_GLOBAL", "/dev/null")
+            .env("GIT_CONFIG_SYSTEM", "/dev/null")
+            .env("GIT_TERMINAL_PROMPT", "0")
             .current_dir(temp_dir.path())
             .output()
             .await
@@ -327,7 +353,10 @@ impl GitHubAppService {
 
         // Checkout the specific commit
         let output = Command::new("git")
-            .args(["checkout", head_sha])
+            .args(["-c", "core.hooksPath=/dev/null", "checkout", head_sha])
+            .env("GIT_CONFIG_GLOBAL", "/dev/null")
+            .env("GIT_CONFIG_SYSTEM", "/dev/null")
+            .env("GIT_TERMINAL_PROMPT", "0")
             .current_dir(temp_dir.path())
             .output()
             .await