check-branches Command Injection Vulnerability

A command injection vulnerability exists in all versions of the check-branches package, a command-line tool used to check for conflicts in git branches. The vulnerability arises because the tool trusts branch names as plain text and concatenates user input to generate git commands. This flaw can be exploited by creating a branch name that includes malicious commands, which the tool will then execute.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the system where the check-branches tool is run.

Reproduction

To reproduce this vulnerability, install check-branches version 0.0.19. Ensure there is a valid git repository with remotes configured and at least one branch created. Create a new branch with a name that includes command injection payload, such as one that echoes 'hello world' into a file in the /tmp directory. After switching to this branch, run the check-branches command. The tool will execute without indicating any conflicts, while the injected command will have been executed, creating the file with the specified contents.