Update commandsAndMenu.tsx to replace "`" in file path for Open Git Repository since it leads to Command Injection Vulnerability (#1196)

rahrad123 · web-flow · commit 2e8fd94b9b76 · 2022-12-06T09:10:01.000+01:00
When a repo is created with the backtick character around it and Initialized as a repo and then opened in Terminal, the linux command is resolved or executed on a running instance. For example if a folder with the name "whoami" is created, initialized as a repo and then opened in terminal using 'Open Git repository in Terminal' you will see that whoami is resolved to the current user which is a vector of command injection.
diff --git a/src/commandsAndMenu.tsx b/src/commandsAndMenu.tsx
@@ -160,7 +160,11 @@ export function addCommands(
           terminal.session.send({
             type: 'stdin',
             content: [
-              `cd "${gitModel.pathRepository.split('"').join('\\"')}"\n`
+              `cd "${gitModel.pathRepository
+                .split('"')
+                .join('\\"')
+                .split('`')
+                .join('\\`')}"\n`
             ]
           });
         }

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,11 @@ export function addCommands(`
`160`	`160`	`terminal.session.send({`
`161`	`161`	`type: 'stdin',`
`162`	`162`	`content: [`
`163`		- `cd "${gitModel.pathRepository.split('"').join('\\"')}"\n`
	`163`	+ `cd "${gitModel.pathRepository
	`164`	`+ .split('"')`
	`165`	`+ .join('\\"')`
	`166`	+ .split('`')
	`167`	+ .join('\\`')}"\n`
`164`	`168`	`]`
`165`	`169`	`});`
`166`	`170`	`}`