[1]: https://github.com/git/git/blob/master/contrib/completion/gi...
reply
[1]: https://github.com/git/git/blob/9d77b0405ce6b471cb5ce3a90436...
git checkout complete_$(./foo)
git checkout 'complete_$(./foo)'
git checkout complete_\$\(./foo\)
However, I currently use Fish shell myself and it seems to be safe: http://imgur.com/a/rjocA
https://github.com/Bash-it/bash-it
git co -b foo <Tab> to complete branch names
git co -b foo $(./pw3n) <- execution right here
Now, I understand that you may not intimately understand 100% the code of the commands and shell extensions you use, but is that a "vulnerability"?
git cloning code vs. running code is sometimes a security boundary and sometimes not. For instance, if you go cd into that directory and then run make or ./configure or ./setup.py install or docker run or something, then yeah, you've removed that boundary. But in general, it's reasonable to keep the boundary there. Perhaps you're doing code review of code by an untrusted author, either of someone else's project or of a pull request to your own project. Perhaps you're packaging up the software to run it as a less-privileged account. Perhaps you're a sysadmin helping a user figure something out. And so forth.
This is a neat bug, though. Lots of package managers have similar problems, and I would not be surprised if there's a lot of git/shell/environment problems left to find.
[0] https://github.com/nojhan/liquidprompt
[1]: https://github.com/git/git/blob/master/contrib/completion/gi...
reply