Describe the bug
Having pipes in the branch name causes the command to error and run what is after the pipe as a separate command. This can cause malicious users to run code on the machine/container sourcebot is on.
To reproduce
Have a pipe(|) in branch or tag name.
Sourcebot deployment information
Sourcebot version (e.g. v3.0.1): v4.6.7
Look at backend/zoekt.ts
This can be solved by using quotes around the branches/tags in the zoekt-git-index command on line 66 of zoekt.ts. Also take a look at spawn instead of exec for running the command, spawn has some built-in escaping for special characters.
Additional information
No response
Describe the bug
Having pipes in the branch name causes the command to error and run what is after the pipe as a separate command. This can cause malicious users to run code on the machine/container sourcebot is on.
To reproduce
Have a pipe(|) in branch or tag name.
Sourcebot deployment information
Sourcebot version (e.g. v3.0.1): v4.6.7
Look at backend/zoekt.ts
This can be solved by using quotes around the branches/tags in the zoekt-git-index command on line 66 of zoekt.ts. Also take a look at spawn instead of exec for running the command, spawn has some built-in escaping for special characters.
Additional information
No response