steveukx · steveukx · May 2, 2026 · Apr 28, 2026 · May 2, 2026 · May 2, 2026
diff --git a/.changeset/hungry-kings-love.md b/.changeset/hungry-kings-love.md
@@ -0,0 +1,7 @@
+---
+"@simple-git/argv-parser": patch
+---
+
+Vulnerability detection expanded to include `pager.*`, `uploadpack.packObjectsHook`, `difftool.*.cmd` and use of the `GIT_CONFIG_PARAMETERS` environment variable
+
+Thanks to @threalwinky and @nuc13us for identifying.
diff --git a/.yarn/releases/yarn-4.12.0.cjs b/.yarn/releases/yarn-4.12.0.cjs
diff --git a/.yarn/releases/yarn-4.14.1.cjs b/.yarn/releases/yarn-4.14.1.cjs
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -1,11 +1,15 @@
+approvedGitRepositories: []
+
 compressionLevel: mixed
 
 enableGlobalCache: false
 
+enableScripts: false
+
 nodeLinker: node-modules
 
 npmPublishAccess: public
 
-npmPublishRegistry: https://registry.npmjs.org
+npmPublishRegistry: "https://registry.npmjs.org"
 
-yarnPath: .yarn/releases/yarn-4.12.0.cjs
+yarnPath: .yarn/releases/yarn-4.14.1.cjs
diff --git a/package.json b/package.json
@@ -32,5 +32,5 @@
     "@biomejs/biome": "^2.1.4",
     "@kwsites/exec-p": "^0.4.0"
   },
-  "packageManager": "yarn@4.12.0"
+  "packageManager": "yarn@4.14.1"
 }
diff --git a/packages/argv-parser/src/env/parse-env.ts b/packages/argv-parser/src/env/parse-env.ts
@@ -8,6 +8,7 @@ const GitEnvKeys = {
    'git_config_global': 'allowUnsafeConfigPaths',
    'git_config_system': 'allowUnsafeConfigPaths',
    'git_config_count': 'allowUnsafeConfigEnvCount',
+   'git_config_parameters': 'allowUnsafeConfigEnvCount',
    'git_config': 'allowUnsafeConfigPaths',
    'git_editor': 'allowUnsafeEditor',
    'git_exec_path': 'allowUnsafeConfigPaths',

diff --git a/packages/argv-parser/src/vulnerabilities/detect-vulnerable-config-writes.ts b/packages/argv-parser/src/vulnerabilities/detect-vulnerable-config-writes.ts
@@ -48,16 +48,19 @@ const preventUnsafeConfig = [
    preventExpandedConfigBuilder('credential.helper', 'allowUnsafeCredentialHelper'),
    preventExpandedConfigBuilder('diff.command', 'allowUnsafeDiffExternal'),
    preventConfigBuilder('diff.external', 'allowUnsafeDiffExternal'),
+   preventExpandedConfigBuilder('difftool.cmd', 'allowUnsafeDiffExternal'),
    preventExpandedConfigBuilder('diff.textconv', 'allowUnsafeDiffTextConv'),
    preventExpandedConfigBuilder('filter.clean', 'allowUnsafeFilter'),
    preventExpandedConfigBuilder('filter.smudge', 'allowUnsafeFilter'),
    preventExpandedConfigBuilder('gpg.program', 'allowUnsafeGpgProgram'),
    preventConfigBuilder('init.templateDir', 'allowUnsafeTemplateDir'),
+   preventExpandedConfigBuilder('pager.', 'allowUnsafePager'),
    preventExpandedConfigBuilder('merge.driver', 'allowUnsafeMergeDriver'),
    preventExpandedConfigBuilder('mergetool.path', 'allowUnsafeMergeDriver'),
    preventExpandedConfigBuilder('mergetool.cmd', 'allowUnsafeMergeDriver'),
    preventExpandedConfigBuilder('protocol.allow', 'allowUnsafeProtocolOverride'),
    preventExpandedConfigBuilder('remote.receivepack', 'allowUnsafePack'),
    preventExpandedConfigBuilder('remote.uploadpack', 'allowUnsafePack'),
+   preventConfigBuilder('uploadpack.packObjectsHook', 'allowUnsafePack'),
    preventConfigBuilder('sequence.editor', 'allowUnsafeEditor'),
 ];
diff --git a/packages/argv-parser/test/parse-env.spec.ts b/packages/argv-parser/test/parse-env.spec.ts
@@ -28,6 +28,7 @@ describe('parseEnv', () => {
       ['GIT_CONFIG_GLOBAL', '/tmp/malicious', 'allowUnsafeConfigPaths'],
       ['GIT_CONFIG_SYSTEM', '/tmp/malicious', 'allowUnsafeConfigPaths'],
       ['GIT_CONFIG_COUNT', '1', 'allowUnsafeConfigEnvCount'],
+      ['GIT_CONFIG_PARAMETERS', "'core.pager=cat'", 'allowUnsafeConfigEnvCount'],
       ['GIT_CONFIG', '/tmp/malicious', 'allowUnsafeConfigPaths'],
       ['GIT_EDITOR', '/tmp/malicious', 'allowUnsafeEditor'],
       ['GIT_SEQUENCE_EDITOR', '/tmp/malicious', 'allowUnsafeEditor'],

diff --git a/packages/argv-parser/test/vulnerability-analysis.spec.ts b/packages/argv-parser/test/vulnerability-analysis.spec.ts
@@ -65,6 +65,7 @@ describe('VulnerabilityAnalysis', () => {
       ['diff.command', 'malicious', 'allowUnsafeDiffExternal'],
       ['diff.driver.command', 'malicious', 'allowUnsafeDiffExternal'],
       ['diff.external', 'malicious', 'allowUnsafeDiffExternal'],
+      ['difftool.vimdiff.cmd', 'malicious', 'allowUnsafeDiffExternal'],
       ['diff.textconv', 'malicious', 'allowUnsafeDiffTextConv'],
       ['diff.driver.textconv', 'malicious', 'allowUnsafeDiffTextConv'],
       ['filter.clean', 'malicious', 'allowUnsafeFilter'],
@@ -74,6 +75,8 @@ describe('VulnerabilityAnalysis', () => {
       ['gpg.program', 'malicious', 'allowUnsafeGpgProgram'],
       ['gpg.type.program', 'malicious', 'allowUnsafeGpgProgram'],
       ['init.templateDir', '/tmp/evil', 'allowUnsafeTemplateDir'],
+      ['pager.log', 'malicious', 'allowUnsafePager'],
+      ['pager.log.color', 'malicious', 'allowUnsafePager'],
       ['merge.driver', '/tmp/evil', 'allowUnsafeMergeDriver'],
       ['merge.foo.driver', '/tmp/evil', 'allowUnsafeMergeDriver'],
       ['mergetool.path', '/tmp/evil', 'allowUnsafeMergeDriver'],
@@ -84,6 +87,7 @@ describe('VulnerabilityAnalysis', () => {
       ['remote.https://example.com.receivepack', 'malicious', 'allowUnsafePack'],
       ['remote.uploadpack', 'malicious', 'allowUnsafePack'],
       ['remote.https://example.com.uploadpack', 'malicious', 'allowUnsafePack'],
+      ['uploadpack.packObjectsHook', 'malicious', 'allowUnsafePack'],
       ['sequence.editor', 'malicious', 'allowUnsafeEditor'],
    ])('writing %s = %s to the git config', (key, value, category) => {
       const expected = category ? oneVulnerability(category) : noVulnerabilities();

diff --git a/yarn.lock b/yarn.lock
@@ -2,7 +2,7 @@
 # Manual changes might be lost - proceed with caution!
 
 __metadata:
-  version: 8
+  version: 9
   cacheKey: 10
 
 "@ampproject/remapping@npm:^2.2.0":