From a9cff821619727a50d4b11af4db7f839b9c00dc3 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 11 Jan 2021 18:48:54 +0000 Subject: [PATCH] Add change-note for addition of `git` to the list of known interpreters for the go/command-injection query. --- change-notes/2021-01-08-git-as-interpreter.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 change-notes/2021-01-08-git-as-interpreter.md diff --git a/change-notes/2021-01-08-git-as-interpreter.md b/change-notes/2021-01-08-git-as-interpreter.md new file mode 100644 index 00000000000..adcd9cafaad --- /dev/null +++ b/change-notes/2021-01-08-git-as-interpreter.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Added `git` as a potentially-exploitable command interpreter for the purposes of the `go/command-injection` query. Because some of its options can cause it to execute an arbitrary command, unsanitized user data can be dangerous to include in its argument list. Such cases will now be flagged as an alert.