It can be used to break out from restricted environments by running non-interactive system commands.
git diff
supports the (undocumented) option --output
, but if no other positional
parameters are present, the destination file can only be created or truncated.
If the Git repository is controlled, planting a bare repository at the top-level
with a malicious configuration (e.g. core.fsmonitor
), truncating .git/config
and then running another Git command is enough to gain code execution.
git diff '--output=.git/config'
git status