← 返回首页
Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4 by WesR · Pull Request #2131 · gitpython-developers/GitPython · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted
Cancel Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Cancel Create saved search
Appearance settings
Resetting focus

Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4 #2131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Byron merged 3 commits into from
Apr 22, 2026
+46 −18
Conversation 11 Commits 3 Checks 30 Files changed 4
Merged

Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4 #2131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1421958
Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4
WesR Apr 21, 2026
9aed7cf
linter fix
WesR Apr 21, 2026
43d92de
git.cmd: harden unsafe option canonicalization and isolate push test …
WesR Apr 21, 2026
File filter

Filter by extension

Filter by extension .py  (4) All 1 file type selected Viewed files
Conversations
Failed to load comments. Retry
Loading
Jump to
Jump to file
Failed to load files. Retry
Loading
Diff view
Unified
Split
Hide whitespace
Apply and reload
Show whitespace
Diff view
Unified
Split
Hide whitespace
Apply and reload
28 changes: 20 additions & 8 deletions git/cmd.py
Show comments
View file Edit file Delete file
Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Original file line number Diff line number Diff line change
Expand Up @@ -944,22 +944,34 @@ def check_unsafe_protocols(cls, url: str) -> None:
f"The `{protocol}::` protocol looks suspicious, use `allow_unsafe_protocols=True` to allow it."
)

@classmethod
def _canonicalize_option_name(cls, option: str) -> str:
"""Return the option name used for unsafe-option checks.

Examples:
``"--upload-pack=/tmp/helper"`` -> ``"upload-pack"``
``"upload_pack"`` -> ``"upload-pack"``
``"--config core.filemode=false"`` -> ``"config"``
"""
option_name = option.lstrip("-").split("=", 1)[0]
option_tokens = option_name.split(None, 1)
if not option_tokens:
return ""
return dashify(option_tokens[0])

@classmethod
def check_unsafe_options(cls, options: List[str], unsafe_options: List[str]) -> None:
"""Check for unsafe options.

Some options that are passed to ``git <command>`` can be used to execute
arbitrary commands. These are blocked by default.
"""
# Options can be of the form `foo`, `--foo bar`, or `--foo=bar`, so we need to
# check if they start with "--foo" or if they are equal to "foo".
bare_unsafe_options = [option.lstrip("-") for option in unsafe_options]
# Options can be of the form `foo`, `--foo`, `--foo bar`, or `--foo=bar`.
canonical_unsafe_options = {cls._canonicalize_option_name(option): option for option in unsafe_options}
for option in options:
for unsafe_option, bare_option in zip(unsafe_options, bare_unsafe_options):
if option.startswith(unsafe_option) or option == bare_option:
raise UnsafeOptionError(
f"{unsafe_option} is not allowed, use `allow_unsafe_options=True` to allow it."
)
unsafe_option = canonical_unsafe_options.get(cls._canonicalize_option_name(option))
if unsafe_option is not None:
raise UnsafeOptionError(f"{unsafe_option} is not allowed, use `allow_unsafe_options=True` to allow it.")

AutoInterrupt: TypeAlias = _AutoInterrupt

Expand Down
2 changes: 2 additions & 0 deletions test/test_clone.py
Show comments
View file Edit file Delete file
Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ def test_clone_unsafe_options(self, rw_repo):

unsafe_options = [
{"upload-pack": f"touch {tmp_file}"},
{"upload_pack": f"touch {tmp_file}"},
{"u": f"touch {tmp_file}"},
{"config": "protocol.ext.allow=always"},
{"c": "protocol.ext.allow=always"},
Expand Down Expand Up @@ -216,6 +217,7 @@ def test_clone_from_unsafe_options(self, rw_repo):

unsafe_options = [
{"upload-pack": f"touch {tmp_file}"},
{"upload_pack": f"touch {tmp_file}"},
{"u": f"touch {tmp_file}"},
{"config": "protocol.ext.allow=always"},
{"c": "protocol.ext.allow=always"},
Expand Down
16 changes: 16 additions & 0 deletions test/test_git.py
Show comments
View file Edit file Delete file
Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import ddt

from git import Git, GitCommandError, GitCommandNotFound, Repo, cmd, refresh
from git.exc import UnsafeOptionError
from git.util import cwd, finalize_process

from test.lib import TestBase, fixture_path, with_rw_directory
Expand Down Expand Up @@ -154,6 +155,21 @@ def test_it_transforms_kwargs_into_git_command_arguments(self):
res = self.git.transform_kwargs(**{"s": True, "t": True})
self.assertEqual({"-s", "-t"}, set(res))

def test_check_unsafe_options_normalizes_kwargs(self):
cases = [
(["upload_pack"], ["--upload-pack"]),
(["receive_pack"], ["--receive-pack"]),
(["exec"], ["--exec"]),
(["u"], ["-u"]),
(["c"], ["-c"]),
(["--upload-pack=/tmp/helper"], ["--upload-pack"]),
(["--config core.filemode=false"], ["--config"]),
]

for options, unsafe_options in cases:
with self.assertRaises(UnsafeOptionError):
Git.check_unsafe_options(options=options, unsafe_options=unsafe_options)

_shell_cases = (
# value_in_call, value_from_class, expected_popen_arg
(None, False, False),
Expand Down
18 changes: 8 additions & 10 deletions test/test_remote.py
Show comments
View file Edit file Delete file
Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Original file line number Diff line number Diff line change
Expand Up @@ -827,7 +827,7 @@ def test_fetch_unsafe_options(self, rw_repo):
remote = rw_repo.remote("origin")
tmp_dir = Path(tdir)
tmp_file = tmp_dir / "pwn"
unsafe_options = [{"upload-pack": f"touch {tmp_file}"}]
unsafe_options = [{"upload-pack": f"touch {tmp_file}"}, {"upload_pack": f"touch {tmp_file}"}]
for unsafe_option in unsafe_options:
with self.assertRaises(UnsafeOptionError):
remote.fetch(**unsafe_option)
Expand Down Expand Up @@ -895,7 +895,7 @@ def test_pull_unsafe_options(self, rw_repo):
remote = rw_repo.remote("origin")
tmp_dir = Path(tdir)
tmp_file = tmp_dir / "pwn"
unsafe_options = [{"upload-pack": f"touch {tmp_file}"}]
unsafe_options = [{"upload-pack": f"touch {tmp_file}"}, {"upload_pack": f"touch {tmp_file}"}]
for unsafe_option in unsafe_options:
with self.assertRaises(UnsafeOptionError):
remote.pull(**unsafe_option)
Expand Down Expand Up @@ -964,10 +964,9 @@ def test_push_unsafe_options(self, rw_repo):
tmp_dir = Path(tdir)
tmp_file = tmp_dir / "pwn"
unsafe_options = [
{
"receive-pack": f"touch {tmp_file}",
"exec": f"touch {tmp_file}",
}
{"receive-pack": f"touch {tmp_file}"},
{"receive_pack": f"touch {tmp_file}"},
{"exec": f"touch {tmp_file}"},
]
for unsafe_option in unsafe_options:
assert not tmp_file.exists()
Expand All @@ -991,10 +990,9 @@ def test_push_unsafe_options_allowed(self, rw_repo):
tmp_dir = Path(tdir)
tmp_file = tmp_dir / "pwn"
unsafe_options = [
{
"receive-pack": f"touch {tmp_file}",
"exec": f"touch {tmp_file}",
}
{"receive-pack": f"touch {tmp_file}"},
{"receive_pack": f"touch {tmp_file}"},
{"exec": f"touch {tmp_file}"},
]
for unsafe_option in unsafe_options:
# The options will be allowed, but the command will fail.
Expand Down
Loading
Toggle all file notes Toggle all file annotations

Footer

© 2026 GitHub, Inc.