Hello - This is not a git bug or issue. It's just something I stumbled across and didn't see any google results for. I thought others would benefit from being aware of it.
I saw a makefile which included of "git describe --tags --dirty" to define version information for a binary's --version command line parameter. The commit/tag information was passed to g++ in a Makefile via: CXXFLAGS += -DBUILD_COMMIT="\"$(shell git describe --tags --dirty)\"" For fun (on Linux) I made simple c++ program and Makefile with the above CXXFLAGS, and a tag (backticks work too): git tag '$(echo>/tmp/test.txt)' Then built. Make executes the git command via a shell and the shell executes the subshell. /tmp/test.txt was created. The tags themselves don't allow spaces so the complexity of the command is limited, though I didn't explore what I could do with chaining shells or escape characters. It's easy enough to add a script to the repository where the tag is located and execute that script from the tag's subshell with a tag, such as $(./test.sh). Again, this is not at all a git issue, git is just used as the transport. As with every other shell attack, it comes down to "always sanitize what you pass through to a shell". Or don't pass it to the shell at all, use another mechanism.
