Skip to content

Commit

Permalink
Fix security issue with git grep -O
Browse files Browse the repository at this point in the history
  • Loading branch information
Dawa Ometto committed Dec 4, 2014
1 parent 1b04ba5 commit 4520d97
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/grit_adapter/git_layer_grit.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ def exist?

def grep(query, options={})
ref = options[:ref] ? options[:ref] : "HEAD"
query = Shellwords.split(query).select {|q| !(q =~ /^(-O)|(--open-files-in-pager)/) }
query = Shellwords.join(query)
args = [{}, '-I', '-i', '-c', query, ref, '--']
args << options[:path] if options[:path]
result = @git.grep(*args).split("\n")
Expand Down Expand Up @@ -165,6 +167,7 @@ def rev_list(options, *refs)

def ls_files(query, options = {})
options[:ref] = options[:ref] ? options[:ref] : "HEAD"
query = Shellwords.shellescape(query)

This comment has been minimized.

Sign in to view

Copy link
@dometto

dometto Dec 4, 2014

Member

Escape the ls_files query for good measure.
@git.ls_files({}, "*#{query}*").split("\n")
end

Expand Down

0 comments on commit 4520d97

Please sign in to comment.