fix(hg): Command injection vulnerability in URLs via alias

tony · tony · commit 3f4e93ed5c22 · 2022-03-12T09:57:04.000-06:00
&gt; create_repo(
&gt;    url="--config=alias.clone=!touch ./HELLO", vcs="hg", repo_dir="./"
&gt; )

Credit: Alessio Della Libera &lt;alessio.dellalibera@snyk.io&gt; via Snyk
diff --git a/libvcs/hg.py b/libvcs/hg.py
@@ -26,7 +26,9 @@ def __init__(self, url, repo_dir, **kwargs):
     def obtain(self):
         self.ensure_dir()
 
-        self.run(["clone", "--noupdate", "-q", self.url, self.path])
+        # Double hyphens between [OPTION]... -- SOURCE [DEST] prevent command injections
+        # via aliases
+        self.run(["clone", "--noupdate", "-q", "--", self.url, self.path])
         self.run(["update", "-q"])
 
     def get_revision(self):
