### Summary The `ref_name` in the Commits API is not sanitized, allowing for a ref starting with `--` to be provided causing git to interpret it as a flag instead of as a ref. If a `ref_name` such as `--output=/tmp/some_file` is used then the following command is executed by gitaly in `find_commit…