Description-Behavior Mismatch
Medium
- Confidence
- 93% confidence
- Finding
- The script derives a predictable path under /tmp from the remote URL and reuses any existing directory there without verifying that it is actually the intended repository or even a valid safe git working tree for that remote. This can cause deployment into attacker-controlled or stale local content, leading to unintended file deletion, commits, and force-pushes to the configured remote branch.
