Some shell commands, like git ls-remote, can execute arbitrary commands if a user provides a malicious URL that starts with --upload-pack. This can be used to execute arbitrary code on the server.

Sanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.

The following example shows code that executes git ls-remote on a URL that can be controlled by a malicious user.

The problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.

Max Justicz: Hacking 3,000,000 apps at once through CocoaPods.

Git: Git - git-ls-remote Documentation.

OWASP: Command Injection.