CVE-2021-3028

An attacker who can create a Git branch with a crafted name containing a single tick (`'`) character can inject arbitrary Python code. The original code builds a `--format` string that wraps each field in single quotes and then passes the output to Python's `eval()` [CWE-20]. When a branch name includes a tick, it breaks out of the string literal and allows execution of attacker-controlled expressions. The attacker only needs the ability to push or create a branch with a malicious name in a repository that a victim will later analyze with `git-big-picture`.

The vulnerability resides in `git-big-picture`'s `Git` class, specifically in the method that builds the `git for-each-ref` format string and then passes the output to Python's `eval()`. The patch modifies the format string in `git-big-picture` (lines ~583–597) and replaces `eval()` with `ast.literal_eval()`. A test file (`test.scf`) was also added to verify handling of branch names containing tick and quote characters.

Patch [patch_id=6635565] makes two key changes: (1) it adds `--python` to the `git for-each-ref` invocation and removes the single-quote wrapping from the format string, so Git itself outputs Python-safe literals; (2) it replaces `eval()` with `ast.literal_eval()`, which safely parses only literal Python data structures and cannot execute arbitrary code. Additionally, the label output is escaped with `label.replace('"', '\\"')` to prevent injection into the generated DOT file. Patch [patch_id=6635564] was an earlier, incomplete attempt that only added extra quoting around `%(refname)` and did not address the root cause.