Add comment about untrusted origin_cmdstricter-exec_cmd

author: Jacob Vosmaer <contact@jacobvosmaer.nl> 2015-11-26 17:33:08 +0100
committer: Jacob Vosmaer <contact@jacobvosmaer.nl> 2015-11-26 17:33:08 +0100
commit: 9d12fa78d8eb10235dbd287478a3c861dc5a7a25 (patch)
tree: 35a85bc72e814ac0f54a80b345d46fcd3bf42ea8 /lib/gitlab_shell.rb
parent: ca66ab5191510aac5c71f3ab7ad3172d1cf3b67a (diff)
download: gitlab-shell-stricter-exec_cmd.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb
index 1ce3b60..8ee50c8 100644
--- a/lib/gitlab_shell.rb
+++ b/lib/gitlab_shell.rb
@@ -17,6 +17,9 @@ class GitlabShell
     @repos_path = @config.repos_path
   end
 
+  # The origin_cmd variable contains UNTRUSTED input. If the user ran
+  # ssh git@gitlab.example.com 'evil command', then origin_cmd contains
+  # 'evil command'.
   def exec(origin_cmd)
     unless origin_cmd
       puts "Welcome to GitLab, #{username}!"
author	Jacob Vosmaer <contact@jacobvosmaer.nl>	2015-11-26 17:33:08 +0100
committer	Jacob Vosmaer <contact@jacobvosmaer.nl>	2015-11-26 17:33:08 +0100
commit	9d12fa78d8eb10235dbd287478a3c861dc5a7a25 (patch)
tree	35a85bc72e814ac0f54a80b345d46fcd3bf42ea8 /lib/gitlab_shell.rb
parent	ca66ab5191510aac5c71f3ab7ad3172d1cf3b67a (diff)
download	gitlab-shell-stricter-exec_cmd.tar.gz