File CVE-2023-41040.patch of Package python-GitPython.18070
Index: GitPython-3.1.12.1610074031.f653af66/git/refs/symbolic.py
===================================================================
--- GitPython-3.1.12.1610074031.f653af66.orig/git/refs/symbolic.py
+++ GitPython-3.1.12.1610074031.f653af66/git/refs/symbolic.py
@@ -139,6 +139,8 @@ class SymbolicReference(object):
"""Return: (str(sha), str(target_ref_path)) if available, the sha the file at
rela_path points to, or None. target_ref_path is the reference we
point to, or None"""
+ if ".." in str(ref_path):
+ raise ValueError(f"Invalid reference '{ref_path}'")
tokens = None
repodir = _git_dir(repo, ref_path)
try:
Index: GitPython-3.1.12.1610074031.f653af66/test/test_refs.py
===================================================================
--- GitPython-3.1.12.1610074031.f653af66.orig/test/test_refs.py
+++ GitPython-3.1.12.1610074031.f653af66/test/test_refs.py
@@ -5,6 +5,7 @@
# the BSD License: http://www.opensource.org/licenses/bsd-license.php
from itertools import chain
+from pathlib import Path
from git import (
Reference,
@@ -22,9 +23,11 @@ from test.lib import (
with_rw_repo
)
from git.util import Actor
+from gitdb.exc import BadName
import git.refs as refs
import os.path as osp
+import tempfile
class TestRefs(TestBase):
@@ -566,3 +569,15 @@ class TestRefs(TestBase):
def test_reflog(self):
assert isinstance(self.rorepo.heads.master.log(), RefLog)
+
+ def test_refs_outside_repo(self):
+ # Create a file containing a valid reference outside the repository. Attempting
+ # to access it should raise an exception, due to it containing a parent directory
+ # reference ('..'). This tests for CVE-2023-41040.
+ git_dir = Path(self.rorepo.git_dir)
+ repo_parent_dir = git_dir.parent.parent
+ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
+ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
+ ref_file.flush()
+ ref_file_name = Path(ref_file.name).name
+ self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}")
