OS Injection issue with plugins

https://huntr.dev/bounties/1624730404898-FalconChristmas/fpp/

scripts/install_plugin

@@ -15,6 +15,12 @@ teeOutput
 
 echo "Installing plugin $1"
 cd ${PLUGINDIR} && $SUDO git clone --single-branch --branch $3 $2 $1
+rc=$?
+if [ $rc -ne 0 ]; then
+	echo "Failed to fetch $1 using $2 -- aborting"
+	exit 1
+fi
+
 if [ "x$4" != "x" ]
 then
 	(cd $1 && $SUDO git reset --hard $4)

www/api/controllers/plugin.php

@@ -41,9 +41,9 @@ function InstallPlugin()
 
 	$pluginInfo = json_decode($pluginInfoJSON, true);
 
-	$plugin = $pluginInfo['repoName'];
+	$plugin = escapeshellcmd($pluginInfo['repoName']);
 	$srcURL = $pluginInfo['srcURL'];
-	$branch = $pluginInfo['branch'];
+	$branch = escapeshellcmd($pluginInfo['branch']);
 	$sha = $pluginInfo['sha'];
 	$infoURL = $pluginInfo['infoURL'];