Client side code execution
The extension uses execa in version 1.0.0 for various git
related tasks.
This version has default setting of true
for preferLocal
which means that the extension will search the git binary within the local project path. Due to this we can construct a repository which will execute arbitrary commands when the extension is trying to invoke git
.
The fix would be to set perferLocal: false
here.