whatthecommit icon indicating copy to clipboard operation
whatthecommit copied to clipboard
verified publisher icon lwe

Careful, this could run arbitrary code in your shell

Open mbdaso opened this issue 6 years ago • 1 comments

If whatthecommit decides to upload a commit message of type $(foo) , a command corresponding with foo will run in your shell.

Example: git commit -m $(rm -rf *)

mbdaso avatar Aug 26 '19 16:08 mbdaso

Hi @alu0100832211, can you elaborate a bit? While using whatthecommit is obviously not a sane idea in general. I'm not sure how this could be exploited directly, unless it's possible to cirrucmvent bash. However, I totally agree that you shouldn't paste things or load things directly from the internet(tm).

# to simulate a curl that responds this as a plain text response
function whatthecommit() { echo '$(ls -la)' }

echo "$(whatthecommit)"
# => "$(ls -la)", the second $() is not expanded

Or what am I missing exactly?

lwe avatar Sep 01 '19 16:09 lwe