ggit@0.9.0 vulnerabilities

Local promise-returning git command wrappers

  • latest version

    2.4.12

  • first published

    11 years ago

  • latest version published

    5 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the ggit package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Arbitrary Argument Injection

    Affected versions of this package are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

    How to fix Arbitrary Argument Injection?

    There is no fixed version for ggit.

    *
    • M
    Command Injection

    Affected versions of this package are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

    How to fix Command Injection?

    There is no fixed version for ggit.

    *