CWE-78

giting version prior to 0.0.8 allows execution of arbritary commands. The first argument “repo” of function “pull()” is executed by the package without any validation.

push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable “opt.branch” is not validated before being provided to the “git” command within “index.js#L139”. This could be abused by an attacker to inject arbitrary commands.

serial-number through 1.3.0 allows execution of arbritary commands. The “cmdPrefix” argument in serialNumber function is used by the “exec” function without any validation.

Blamer versions prior to 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer.

php-shellcommand versions before 1.6.1 have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

In “index.js” file line 240, the run command executes the git command with a user controlled variable called remoteUrl. This affects git-diff-apply all versions prior to 0.22.2.