[SECURITY] Several command injections

[maple3142]

There are several command injection vulnerabilities in Gitly:

gitly/src/repo_routes.v

Lines 530 to 543 in d0e1f3a

	['/:user/:repository/raw/:branch_name/:path...']
	pub fn (mut app App) handle_raw(username string, repo_name string, branch_name string, path string) vweb.Result {
	user := app.get_user_by_username(username) or { return app.not_found() }
	repo := app.find_repo_by_name_and_user_id(repo_name, user.id)
	if repo.id == 0 {
	return app.not_found()
	}
	// TODO: throw error when git returns non-zero status
	file_source := repo.git('--no-pager show ${branch_name}:${path}')
	return app.ok(file_source)
	}

gitly/src/commit_routes.v

Lines 87 to 94 in d0e1f3a

	is_patch_request := hash.ends_with('.patch')
	if is_patch_request {
	commit_hash := hash.trim_string_right('.patch')
	patch := repo.get_commit_patch(commit_hash) or { return app.not_found() }
	return app.ok(patch)
	}

gitly/src/repo_service.v

Line 659 in d0e1f3a

patch := r.git('format-patch --stdout -1 ${commit_hash}')

I think there are more possible injection points so it is probably not enough to fix these parts only.

If possible, consider Adding a security policy to your repository in the future.

[ghost]

Yes, you are right. Thank you for your feedback. I haven't done any checks in any place of calling the git command yet.