Composer has multiple command injections via malicious git/hg branch names
The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.