Potential command injection vulnerability in git-init

[xiaofen9]

Hi,

We would like to report a potential security vulnerability. The bug is introduced because the package-exported method fails to sanitize its parameter and lets it flow into a sensitive command execution API.

Here is the proof of concept.

var ginit = require(".git-init")
ginit(";touch rce") // a file named rce will be created

Please consider fixing it. thanks!

[santi100a]

You're absolutely right, @xiaofen9. @yoshuawuyts, consider merging #1, then fixing this security vulnerability. You can even migrate your project to TypeScript and get automatically generated type definitions in seconds! If you want to keep it simple and let us maintain your type definitions, then consider addressing this issue.

[santi100a]

In the line exec('git init -q ' + path, cb), the path variable is concatenated directly into the command string without proper sanitization or validation. An attacker could potentially manipulate the path argument in a way that injects additional commands to be executed.

For example, if the path argument is set to ; rm -rf /, the resulting command passed to exec would be git init -q ; rm -rf /, which would execute the git init -q command followed by the potentially harmful rm -rf / command!