search

stackmuncher / stm_app

This software engineer profile builder turns your code into a detailed list of skills for an online directory of software developers.
https://stackmuncher.com
GNU Affero General Public License v3.0
22 stars 1 forks source link

Sanitise string interpolation for GIT command arguments #3

Open rimutaka opened 3 years ago

rimutaka commented 3 years ago

There are a few places in the args are built from variable strings, which can be an attack vector. E.g. using a commit SHA1 or committer name.

E.g. 

let mut git_args = vec![
        "log".into(),
        "--no-decorate".into(),
        "--name-only".into(),
        "--no-merges".into(),
        "--encoding=utf-8".into(),
    ];
    if let Some(author) = contributor_git_identity {
        git_args.push(["--author=\"", author, "\""].concat());
    };

I'm not sure if this is a real threat, but better be safe. Asked the question here https://www.reddit.com/r/rust/comments/kr989u/are_processcommand_arguments_safe_from_code/