Skip to content

Commit 3f4e93e

Browse files
committed
fix(hg): Command injection vulnerability in URLs via alias
> create_repo( > url="--config=alias.clone=!touch ./HELLO", vcs="hg", repo_dir="./" > ) Credit: Alessio Della Libera <alessio.dellalibera@snyk.io> via Snyk
1 parent c8a2ca6 commit 3f4e93e

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

libvcs/hg.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,9 @@ def __init__(self, url, repo_dir, **kwargs):
2626
def obtain(self):
2727
self.ensure_dir()
2828

29-
self.run(["clone", "--noupdate", "-q", self.url, self.path])
29+
# Double hyphens between [OPTION]... -- SOURCE [DEST] prevent command injections
30+
# via aliases
31+
self.run(["clone", "--noupdate", "-q", "--", self.url, self.path])
3032
self.run(["update", "-q"])
3133

3234
def get_revision(self):

0 commit comments

Comments
 (0)