|
5 | 5 | # the BSD License: http://www.opensource.org/licenses/bsd-license.php
|
6 | 6 |
|
7 | 7 | from itertools import chain
|
| 8 | +from pathlib import Path |
8 | 9 |
|
9 | 10 | from git import (
|
10 | 11 | Reference,
|
|
20 | 21 | from git.objects.tag import TagObject
|
21 | 22 | from test.lib import TestBase, with_rw_repo
|
22 | 23 | from git.util import Actor
|
| 24 | +from gitdb.exc import BadName |
23 | 25 |
|
24 | 26 | import git.refs as refs
|
25 | 27 | import os.path as osp
|
| 28 | +import tempfile |
26 | 29 |
|
27 | 30 |
|
28 | 31 | class TestRefs(TestBase):
|
@@ -616,3 +619,15 @@ def test_dereference_recursive(self):
|
616 | 619 |
|
617 | 620 | def test_reflog(self):
|
618 | 621 | assert isinstance(self.rorepo.heads.master.log(), RefLog)
|
| 622 | + |
| 623 | + def test_refs_outside_repo(self): |
| 624 | + # Create a file containing a valid reference outside the repository. Attempting |
| 625 | + # to access it should raise an exception, due to it containing a parent directory |
| 626 | + # reference ('..'). This tests for CVE-2023-41040. |
| 627 | + git_dir = Path(self.rorepo.git_dir) |
| 628 | + repo_parent_dir = git_dir.parent.parent |
| 629 | + with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file: |
| 630 | + ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe") |
| 631 | + ref_file.flush() |
| 632 | + ref_file_name = Path(ref_file.name).name |
| 633 | + self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}") |
0 commit comments