From 02d13d6c16d3b2b7f0eb4eb45513bf3a842d969e Mon Sep 17 00:00:00 2001
From: Asjid Kalam <asjid.kalam@gmail.com>
Date: Sat, 25 Jul 2020 14:55:12 +0530
Subject: [PATCH 1/2] added shell-escape module

---
 package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index e205a2a..b72b345 100644
--- a/package.json
+++ b/package.json
@@ -34,7 +34,8 @@
     "execa": "^0.7.0",
     "is-git-repository": "^1.1.1",
     "os": "^0.1.1",
-    "path-is-absolute": "^1.0.1"
+    "path-is-absolute": "^1.0.1",
+    "shell-escape": "^0.2.0"
   },
   "devDependencies": {
     "@babel/cli": "^7.8.4",

From fc192603b6b59e882bfe6d2faaa255519d1f1d43 Mon Sep 17 00:00:00 2001
From: Asjid Kalam <asjid.kalam@gmail.com>
Date: Sat, 25 Jul 2020 14:58:39 +0530
Subject: [PATCH 2/2] Fixed code execution on git-commit-range

---
 index.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/index.js b/index.js
index b8eb645..e3be231 100644
--- a/index.js
+++ b/index.js
@@ -3,9 +3,17 @@ import isGit from 'is-git-repository';
 import { platform } from 'os';
 import makepath from 'path';
 import pathIsAbsolute from 'path-is-absolute';
+import shellescape from 'shell-escape';
 
 const cwd = process.cwd();
 
+var escapeShell = function(cmd) {
+  if(cmd !== undefined){
+    var arg = cmd.toString().split(" ");
+    return shellescape(arg);
+  }
+}
+
 const getCommitRange = (options = {}) => {
   const {
     path,
@@ -29,6 +37,11 @@ const getCommitRange = (options = {}) => {
   let getCommits;
 
   thisPath = pathIsAbsolute(thisPath) ? thisPath : makepath.join(cwd, thisPath);
+  
+  // escaping bad shell arguments
+  thisPath = escapeShell(thisPath);
+  thisFrom = escapeShell(thisFrom);
+  thisTo = escapeShell(thisTo);
 
   if (!isGit(thisPath)) {
     return [];