From 9d12fa78d8eb10235dbd287478a3c861dc5a7a25 Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <contact@jacobvosmaer.nl>
Date: Thu, 26 Nov 2015 17:33:08 +0100
Subject: Add comment about untrusted origin_cmd

---
 lib/gitlab_shell.rb | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lib/gitlab_shell.rb')

diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb
index 1ce3b60..8ee50c8 100644
--- a/lib/gitlab_shell.rb
+++ b/lib/gitlab_shell.rb
@@ -17,6 +17,9 @@ class GitlabShell
     @repos_path = @config.repos_path
   end
 
+  # The origin_cmd variable contains UNTRUSTED input. If the user ran
+  # ssh git@gitlab.example.com 'evil command', then origin_cmd contains
+  # 'evil command'.
   def exec(origin_cmd)
     unless origin_cmd
       puts "Welcome to GitLab, #{username}!"
-- 
cgit v1.2.1