export type VulnerabilityCategory = keyof VulnerabilityCategoryFlags; export interface Vulnerability { category: VulnerabilityCategory; message: string; } export interface VulnerabilityCategoryFlags { /** * Use of the `alias.*` configuration settings in simple-git tasks */ allowUnsafeAlias: boolean; /** * Use of the `core.askPass` configuration setting and environment variables in simple-git tasks */ allowUnsafeAskPass: boolean; /** * Allows using environment variables to set configuration paths in simple-git tasks */ allowUnsafeConfigPaths: boolean; /** * Allows setting configuration fields from environment variables in simple-git tasks. Any * configuration set in this way will still be subject to the same block-listing checks and * may require other unsafe flags to be enabled for use. */ allowUnsafeConfigEnvCount: boolean; /** * Allows setting credential helper in simple-git tasks */ allowUnsafeCredentialHelper: boolean; /** * Allows setting path to the text editor utility in simple-git tasks */ allowUnsafeEditor: boolean; /** * Allows use of setting paths for merge tools in simple-git tasks */ allowUnsafeMergeDriver: boolean; /** * Allows setting path to the pager utility in simple-git tasks */ allowUnsafePager: boolean; /** * By default, `simple-git` prevents the use of inline configuration * options to override the protocols available for the `git` child * process to prevent accidental security vulnerabilities when * unsanitised user data is passed directly into operations such as * `git.addRemote`, `git.clone` or `git.raw`. * * Enable this override to use the `ext::` protocol (see examples on * [git-scm.com](https://git-scm.com/docs/git-remote-ext#_examples)). */ allowUnsafeProtocolOverride: boolean; /** * Given the possibility of using `--upload-pack` and `--receive-pack` as * attack vectors, the use of these in any command (or the shorthand * `-u` option in a `clone` operation) are blocked by default. * * Enable this override to permit the use of these arguments. */ allowUnsafePack: boolean; /** * Using a `-c` switch to enable custom SSH commands opens up a potential * attack vector for running arbitrary commands. */ allowUnsafeSshCommand: boolean; /** * Using a `-c` switch to enable custom proxy command for the `git://` transport * exposes and attack vector for running arbitrary commands. */ allowUnsafeGitProxy: boolean; /** * Using a `-c` switch to enable custom hooks path commands to be run automatically * exposes and attack vector for running arbitrary commands. */ allowUnsafeHooksPath: boolean; /** * Using a `-c` switch to enable setting binary for processing diffs * exposes and attack vector for running arbitrary commands. */ allowUnsafeDiffExternal: boolean; /** * Using a `-c` switch to enable setting binary for retrieving text content of a file */ allowUnsafeDiffTextConv: boolean; /** * Using a `-c` switch to enable setting binary for `smudge` and `clean` operations * which can add and remove content to a file during checkout and commit. */ allowUnsafeFilter: boolean; /** * Using a `-c` switch to enable setting the binary to which `git` will delegate * file content change detection. */ allowUnsafeFsMonitor: boolean; /** * Using a `-c` switch to configure the GPG signing program (`gpg.program`) or a * per-format variant (`gpg.ssh.program`, `gpg.x509.program`). Controlling the signing * binary allows an attacker to run arbitrary code whenever a commit or tag is signed. */ allowUnsafeGpgProgram: boolean; /** * Allows overriding template directory either by environment variable or configuration in simple-git tasks */ allowUnsafeTemplateDir: boolean; }