Thor before 1.4.0 can construct an unsafe shell command from library input.
https://hackerone.com/reports/3260153
https://github.com/rails/thor/releases/tag/v1.4.0
https://github.com/rails/thor/pull/897
https://github.com/rails/thor/commit/536b79036a0efb765c1899233412e7b1ca94abfa