github.com/gitlabhq/gitlab-runner is vulnerable to Command Injection. The vulnerability exists because the library does not properly escape user input commands, allowing an attacker to create a branch with a specially crafted name and get another user to trigger a pipeline to execute commands in the runner as that other user.