Description
get_branch_diff() and get_commit_diff() in src/git/diff.rs:38-58 pass user-provided strings directly to git_cmd(). While Rust's Command API prevents shell injection, a malicious branch name like --exec could be interpreted as a git flag.
Current Mitigation
Command::new("git").args(args) uses execvp-style argument passing — NOT shell injection ✅
ref_str.contains("..") check is semantic, not security
Suggested Fix
Add -- separator in git diff commands to prevent argument injection.
Description
get_branch_diff()andget_commit_diff()insrc/git/diff.rs:38-58pass user-provided strings directly togit_cmd(). While Rust'sCommandAPI prevents shell injection, a malicious branch name like--execcould be interpreted as a git flag.Current Mitigation
Command::new("git").args(args)uses execvp-style argument passing — NOT shell injection ✅ref_str.contains("..")check is semantic, not securitySuggested Fix
Add
--separator in git diff commands to prevent argument injection.