April 28, 2026

Commit message or secret message?

Article URL →HN comments →

Patch applies fake diffs from commit messages

A patch was supposed to change one file — commenters say it can sneak in a secret extra

TLDR: A GitHub patch meant to change one file can also make an extra file if the commit message contains patch-like text and someone applies it with a classic tool. Commenters are split between calling it another ridiculous text-format mess and saying it’s only dangerous if you already trusted the patch anyway.

A tiny code change turned into full-on comment section theater after a developer showed that a downloadable GitHub patch can smuggle in a fake extra file if the commit message itself contains text that looks like a patch. In plain English: someone thought they were applying a simple update, but an old-school tool could also read the message text as instructions and create a file that was never actually part of the visible commit. That discovery had readers doing the online equivalent of clutching pearls.

The strongest reactions split into two camps. One side went straight for the "Unix tools are chaos" rant, with one commenter blasting the whole ecosystem for relying on quirky, half-documented text formats and saying this mess wouldn’t happen if everything used a strict, modern structure like JSON or XML. The other side was much less shocked and basically shrugged: if you trust a patch enough to apply it, they argued, why is a sneaky file inside the message any scarier than a sneaky file anywhere else? That take definitely sparked the "is this a real vulnerability or just ugly behavior?" fight.

Then came the practical crowd, dropping fixes and lore like grizzled mechanics under a raised hood. One pointed out that using GitHub’s .diff version avoids the email-style wrapper entirely. Another explained that patch-applying tools already use weird in-band clues like lines starting with diff - to guess where the real changes begin — which, honestly, sounded to readers like the software equivalent of "we made up the rules as we went". The accidental punchline? The whole saga made commit messages look less like innocent notes and more like tiny Trojan horses with very good formatting.

Key Points

  • The article demonstrates that a GitHub `.patch` export can include diff-shaped text from a commit message alongside the real patch.
  • In the public example, the real commit changes only `readme.md`, but the commit message contains a fake diff that creates `SHOULD_NOT_BE_HERE.md`.
  • Applying the downloaded `.patch` file with `patch -p1` reportedly creates `SHOULD_NOT_BE_HERE.md`, even though it is not part of the actual commit.
  • The author says local testing also showed `GNU patch` accepting a path targeting `.git/hooks/post-applypatch`.
  • `git apply` and `git am` rejected `.git/...` paths but still accepted an injected diff for an ordinary working-tree file, while `git cherry-pick` is described as different because it uses Git objects directly.

Hottest takes

"It's always been a stupid idea for every tool to have its own barely documented file format." — LiamPowell
"you can just change the extension provided to Github from `.patch` to `.diff`" — jolmg
"But what problem does this actually introduce?" — Schnitz

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.