Skip to content

Commit

Permalink
Merge pull request #1644 from trail-of-forks/fix-cve-2023-41040
Browse files Browse the repository at this point in the history
  • Loading branch information
Byron authored Sep 7, 2023
2 parents 830025b + 65b8c6a commit 74e55ee
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
2 changes: 2 additions & 0 deletions git/refs/symbolic.py
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,8 @@ def _get_ref_info_helper(
"""Return: (str(sha), str(target_ref_path)) if available, the sha the file at
rela_path points to, or None. target_ref_path is the reference we
point to, or None"""
if ".." in str(ref_path):
raise ValueError(f"Invalid reference '{ref_path}'")
tokens: Union[None, List[str], Tuple[str, str]] = None
repodir = _git_dir(repo, ref_path)
try:
Expand Down
15 changes: 15 additions & 0 deletions test/test_refs.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
# the BSD License: http://www.opensource.org/licenses/bsd-license.php

from itertools import chain
from pathlib import Path

from git import (
Reference,
Expand All @@ -20,9 +21,11 @@
from git.objects.tag import TagObject
from test.lib import TestBase, with_rw_repo
from git.util import Actor
from gitdb.exc import BadName

import git.refs as refs
import os.path as osp
import tempfile


class TestRefs(TestBase):
Expand Down Expand Up @@ -616,3 +619,15 @@ def test_dereference_recursive(self):

def test_reflog(self):
assert isinstance(self.rorepo.heads.master.log(), RefLog)

def test_refs_outside_repo(self):
# Create a file containing a valid reference outside the repository. Attempting
# to access it should raise an exception, due to it containing a parent directory
# reference ('..'). This tests for CVE-2023-41040.
git_dir = Path(self.rorepo.git_dir)
repo_parent_dir = git_dir.parent.parent
with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
ref_file.flush()
ref_file_name = Path(ref_file.name).name
self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}")

0 comments on commit 74e55ee

Please sign in to comment.