# HG changeset patch
# User Drew DeVault <sir@cmpwn.com>
# Date 1680351410 -7200
#      Sat Apr 01 14:16:50 2023 +0200
# Node ID 833b942ffc8e7c39d72e3c4f8d2b46404afa3b48
# Parent  51771c2e3b86be7e20a61e77f25aa81f3dd44f60
API: fix command injection in resolvers

diff --git a/api/graph/schema.resolvers.go b/api/graph/schema.resolvers.go
--- a/api/graph/schema.resolvers.go
+++ b/api/graph/schema.resolvers.go
@@ -700,10 +700,10 @@
 	}
 
 	cmdparams := []string{"heads"}
+	cmdparams = append(cmdparams, "--template", HG_CHANGESET)
 	if rev != nil {
-		cmdparams = append(cmdparams, *rev)
+		cmdparams = append(cmdparams, "--", *rev)
 	}
-	cmdparams = append(cmdparams, "--template", HG_CHANGESET)
 
 	out, err := obj.ExecuteCommand(ctx, cmdparams...)
 	if err != nil {
@@ -744,7 +744,7 @@
 
 	cmdparams := []string{"log", "-l", strconv.Itoa(cursor.Count + 1)}
 	if rev != nil {
-		cmdparams = append(cmdparams, "-r", *rev)
+		cmdparams = append(cmdparams, fmt.Sprintf("--rev=%s", *rev))
 	} else if cursor.Next != "" {
 		cmdparams = append(cmdparams, "-r", fmt.Sprintf("reverse(ancestors(%s))", cursor.Next))
 	}