I wrote one test and it's bad :( need to add more

Hi @jkup 👋
I'm not sure what's up here, but this is what I saw when I tried pullit for the first time 😅

Any ideas? At the time, this pull request was open. I was just testing things out to see how it worked. Maybe it doesn't like my color scheme?

It looks like there is an API for it https://developer.github.com/v3/enterprise/

It would be nice to throw human readable errors for every step. Is there a network issue? Can the git url be parsed? Is it even a git project you are in?

At work (and I'd assume in open source), we rely heavily on forking and then merging in changes to the main repo. We then end up having origin be our fork, rather than the main repo.

I'll open up a PR for this in a minute or so!

I want pullit 123 to check out the SHA but not create a branch for it.

Upfront: Awesome tool, very useful! :)

I just came across this today: I recieved a PR for a repo, and the source branch in the fork was called the same as the target branch in my repository: develop.

When I tried to pull that PR, I received the following error:

fatal: Refusing to fetch into current branch refs/heads/develop of non-bare repository
Error: Could not find the specified pull request.

Git thinks you want to merge develop into develop or something, and refuses to do so.

It seems that would happen quite often, since people often do a quick fork, fix a little thing, commit without creating a new branch and open a PR to the default branch.

Maybe we could simply prepend all branches created by pullit with pullit/ or something? That would have the added benefit of making branches created by pullit easy to spot.

Gitlab support would be nice 😄

Since this ultimately executes commands on the user's system it would be nice to just do basic sanitization so they don't mess anything up.

Like pullit 123?

I get

Error: could not display pull requests. Please make sure this is a valid repository.

I assume it's because my github repository is private; is there a way to have the utility ask for auth or use existing github auth?

Description

The pullit npm package makes insecure use of shell execution API (i.e: exec() or execSync()) which is vulnerable to a malicious user input based on a remote branch name on the GitHub platform, that can be set by a 3rd party, hence luring an innocent user to use the pullit module on the target branch and result in remote command execution exploit.

Steps To Reproduce:

The pullit project has a set of exec() calls to git commands which may end up in originating from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.

Re-construct of a flow that results in a remote command execution on the user running pullit: 

1. Create a branch that could potentially terminate an exec() command and concatenate to it a new command:
   1. git checkout -b ";{echo,hello,world}>/tmp/c”
2. Push it to GitHub and create a pull request with this branch name
3. Run pullit from command line, select the relevant pull request to checkout locally
4. Read the contents of /tmp/c

Patch

See below for patch to fix the problem:

pullit-security-rce.patch:

diff --git a/src/index.js b/src/index.js
index 3a34831..9bffd0d 100644
--- a/src/index.js
+++ b/src/index.js
@@ -1,7 +1,7 @@
 const GitHubApi = require('github');
 const Menu = require('terminal-menu');
 const {
-  execSync
+  execFileSync
 } = require('child_process');
 const parse = require('parse-github-repo-url');

@@ -12,7 +12,7 @@ class Pullit {
   }

   init() {
-    const url = execSync(`git config --get remote.origin.url`, {
+    const url = execFileSync('git', ['config', '--get', 'remote.origin.url'], {
       encoding: 'utf8'
     }).trim();

@@ -34,8 +34,11 @@ class Pullit {
       })
       .then(res => {
         const branch = res.data.head.ref;
-        execSync(
-          `git fetch origin pull/${id}/head:${branch} && git checkout ${branch}`
+        execFileSync(
+          'git', ['fetch', 'origin', `pull/${id}/head:${branch}`]
+        );
+        execFileSync(
+          'git', ['checkout', branch]
         );
       })
       .catch(err => {

Cannot run pullit with error message below:

Error: 'github' has been renamed to '@octokit/rest' (https://git.io/vNB11)

Version: 1.3.0

Currently getting the following error:

$ pullit
Error: could not display pull requests. Please make sure this is a valid repository.

I'm sure this means forking your codebase somehow, but Bitbucket support would be amazing :)

Like pullit push 123 or pullit push 123 -f, to push directly to the proper remote and branch for that PR?