From bcd0d469bbc997b34b9d11246b179d32253ce04d Mon Sep 17 00:00:00 2001
From: rahrad123 <107952571+rahrad123@users.noreply.github.com>
Date: Mon, 5 Dec 2022 14:47:55 -0800
Subject: [PATCH] Update commandsAndMenu.tsx to replace "`" in file path for
 Open Git Repository since it leads to Command Injection Vulnerability

When a repo is created with the backtick character around it and Initialized as a repo and then opened in Terminal, the linux command is resolved or executed on a running instance. For example if a folder with the name "whoami" is created, initialized as a repo and then opened in terminal using 'Open Git repository in Terminal' you will see that whoami is resolved to the current user which is a vector of command injection.
---
 src/commandsAndMenu.tsx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/commandsAndMenu.tsx b/src/commandsAndMenu.tsx
index 460766d1e..992a759ea 100644
--- a/src/commandsAndMenu.tsx
+++ b/src/commandsAndMenu.tsx
@@ -160,7 +160,11 @@ export function addCommands(
           terminal.session.send({
             type: 'stdin',
             content: [
-              `cd "${gitModel.pathRepository.split('"').join('\\"')}"\n`
+              `cd "${gitModel.pathRepository
+                .split('"')
+                .join('\\"')
+                .split('`')
+                .join('\\`')}"\n`
             ]
           });
         }