Hi IBB,
I’d like to submit a issue exist in Mercurial.
It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in
the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier.
Typical use of Mercurial prevents construction of such repositories, but they can be created
programmatically.
Further details of my original report can be found at:
https://bz.mercurial-scm.org/show_bug.cgi?id=5730
And the Mercurial security advisory
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29
Thanks,
Terry
A crafted mercurial repo with an evil git subrepo can lead to execute arbritary command on user’s OS. And other web applications or clients support mercurial repo management or invoke hg related command also have a risk affected by this vulnerability.