models/release: filter input to prevent command line argument vulnerability

2025-11-04 08:30:25 +08:00 · 2016-05-06 15:40:41 -04:00
parent 3df8eb60e3
commit 0a78d99a4d
7 changed files with 11 additions and 128 deletions
--- a/models/release.go
+++ b/models/release.go
@@ -67,6 +67,8 @@ func createTag(gitRepo *git.Repository, rel *Release) error {
 				return fmt.Errorf("GetBranchCommit: %v", err)
 			}

+			// Trim '--' prefix to prevent command line argument vulnerability
+			rel.TagName = strings.TrimPrefix(rel.TagName, "--")
 			if err = gitRepo.CreateTag(rel.TagName, commit.ID.String()); err != nil {
 				return err
 			}