Command Injection Vulnerability in cocoapods-downloader via git Arguments #471
Description
Issue Description:
The cocoapods-downloader package before version 1.6.0, and versions 1.6.2 through 1.6.3, is vulnerable to command injection when using git. Specifically, the Pod::Downloader.preprocess_options function passes both the git and branch parameters directly to the git ls-remote subcommand without proper sanitization. This allows an attacker to inject additional git flags, potentially leading to arbitrary command execution on the system.
Recommendation:
Upgrade cocoapods-downloader to version 1.6.0 or later to mitigate this vulnerability.