Closed manveru closed 3 years ago
Probably https://github.com/crystal-lang/crystal/pull/9043 will be helpful here.
Or perform some schema validation in the yaml file.
Well, we don't really have a reason to invoke git through a shell, no? let's just pass arguments individually.
I guess passing the arguments without shell should work. Note that adding a dependency to a project is not something we could guarantee as secure anyway. You could just execute any command with the postinstall
hooks for example.
I think this was fixed by #447 which escapes all CLI arguments with Process.quote
.
Due to the way git commands are executed (i.e. no
Process.run("git", args: [ ... ])
but interpolation), it's possible to execute stuff outside of hooks while parsing git dependencies:This
shard.yml
will write~/.cache/shards/github.com/crystal-lang/crystal-molinillo.git/booya
covertly as a simple proof of concept: