Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix git fetch - addresses a potential security concern regarding git …
…fetch (#103)

* fixes a potential security issue where fetch --upload-pack can allow for command injection

* Change files
  • Loading branch information
kenotron committed Apr 20, 2022
1 parent 24040a5 commit 9bc7e65
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "fixes a potential security issue where fetch --upload-pack can allow for command injection",
"packageName": "workspace-tools",
"email": "kchau@microsoft.com",
"dependentChangeType": "patch"
}
4 changes: 2 additions & 2 deletions src/git.ts
Expand Up @@ -118,15 +118,15 @@ export function getUntrackedChanges(cwd: string) {
}

export function fetchRemote(remote: string, cwd: string) {
const results = git(["fetch", remote], { cwd });
const results = git(["fetch", "--", remote], { cwd });

if (!results.success) {
throw gitError(`Cannot fetch remote: ${remote}`);
}
}

export function fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) {
const results = git(["fetch", remote, remoteBranch], { cwd });
const results = git(["fetch", "--", remote, remoteBranch], { cwd });

if (!results.success) {
throw gitError(`Cannot fetch remote: ${remote} ${remoteBranch}`);
Expand Down

0 comments on commit 9bc7e65

Please sign in to comment.