API: fix command injection in resolvers
1 files changed, 3 insertions(+), 3 deletions(-)

M api/graph/schema.resolvers.go
M api/graph/schema.resolvers.go +3 -3
@@ 700,10 700,10 @@ func (r *repositoryResolver) Heads(ctx c
 	}
 
 	cmdparams := []string{"heads"}
+	cmdparams = append(cmdparams, "--template", HG_CHANGESET)
 	if rev != nil {
-		cmdparams = append(cmdparams, *rev)
+		cmdparams = append(cmdparams, "--", *rev)
 	}
-	cmdparams = append(cmdparams, "--template", HG_CHANGESET)
 
 	out, err := obj.ExecuteCommand(ctx, cmdparams...)
 	if err != nil {

          
@@ 744,7 744,7 @@ func (r *repositoryResolver) Log(ctx con
 
 	cmdparams := []string{"log", "-l", strconv.Itoa(cursor.Count + 1)}
 	if rev != nil {
-		cmdparams = append(cmdparams, "-r", *rev)
+		cmdparams = append(cmdparams, fmt.Sprintf("--rev=%s", *rev))
 	} else if cursor.Next != "" {
 		cmdparams = append(cmdparams, "-r", fmt.Sprintf("reverse(ancestors(%s))", cursor.Next))
 	}