From 5108446c1e23960d65e8b973f1d9486f9f9dbd6c Mon Sep 17 00:00:00 2001
From: jammy <jammy@loves.shib.es>
Date: Fri, 3 Apr 2020 23:58:55 +0200
Subject: [PATCH] fix command injection vulnerability

---
 example/index.js |  2 +-
 lib/index.js     | 25 +++++++++----------------
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/example/index.js b/example/index.js
index de78aea..0a86e73 100644
--- a/example/index.js
+++ b/example/index.js
@@ -16,7 +16,7 @@ oneByOne([
     }
   , cb => {
         console.log("> Created README.md");
-        myRepo.exec("add .", cb);
+        myRepo.exec(['add', '.'], cb);
     }
   , cb => {
         console.log("> Added the files.");
diff --git a/lib/index.js b/lib/index.js
index 012b191..0691556 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -52,20 +52,12 @@ class Gry {
      * @return {Gry} The `Gry` instance.
      */
     exec (command, args, callback) {
-
         var eargs = [];
         if (typeof args === "function") {
             callback = args;
             args = null;
         }
 
-        // Handle spawn
-        if (Array.isArray(args)) {
-            eargs.push("git", [command].concat(args));
-        } else {
-            eargs.push("git " + command.trim());
-        }
-
         eargs.push({ cwd: this.cwd });
 
         // Add the callback function
@@ -73,8 +65,9 @@ class Gry {
             if (err) { return callback(err); }
             callback(null, stdout.trimRight());
         });
+        console.log({command, eargs, callback})
 
-        el.add.apply(el, eargs);
+        el.add('git', command, eargs[0], eargs[1]);
         return this;
     }
 
@@ -88,7 +81,7 @@ class Gry {
      * @return {Gry} The `Gry` instance.
      */
     init (callback) {
-        return this.exec("init", callback);
+        return this.exec(['init'], callback);
     }
 
     /**
@@ -128,7 +121,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("commit -m \"" + message + "\" " + options, callback)
+        return this.exec(['commit', '-m', message, ...options.split(' ').filter(a => a)], callback)
     }
 
     /**
@@ -146,7 +139,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("pull " + options, callback);
+        return this.exec(['pull', ...options.split(' ')], callback);
     }
 
     /**
@@ -164,7 +157,7 @@ class Gry {
             callback = options;
             options = ".";
         }
-        return this.exec("add " + options, callback);
+        return this.exec(['add', ...options.split(' ')], callback);
     }
 
     /**
@@ -182,7 +175,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("branch " + options, callback);
+        return this.exec(['branch', ...options.split(' ')], callback);
     }
 
     /**
@@ -200,7 +193,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("checkout " + options, callback);
+        return this.exec(['checkout', ...options.split(' ')], callback);
     }
 
     /**
@@ -219,7 +212,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("clone " + gitUrl + " " + options, callback);
+        return this.exec(['clone', gitUrl, ...options.split(' ')], callback);
     }
 }