A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.