Commit a56113e

committed

Fix CVE-2023-41040

This change adds a check during reference resolving to see if the requested reference is inside the current repository folder. If it's ouside, it raises an exception. This fixes CVE-2023-41040, which allows an attacker to access files outside the repository's directory.

1 parent 91b464c commit a56113eCopy full SHA for a56113e

File tree

1 file changed

-1

lines changed

git/refs
- symbolic.py

1 file changed

-1

lines changed

`‎git/refs/symbolic.py`

Lines changed: 8 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`from git.types import PathLike`
	`2`	`+from pathlib import Path`
`2`	`3`	`import os`
`3`	`4`
`4`	`5`	`from git.compat import defenc`
`@@ -171,7 +172,13 @@ def _get_ref_info_helper(`
`171`	`172`	`tokens: Union[None, List[str], Tuple[str, str]] = None`
`172`	`173`	`repodir = _git_dir(repo, ref_path)`
`173`	`174`	`try:`
`174`		`- with open(os.path.join(repodir, str(ref_path)), "rt", encoding="UTF-8") as fp:`
	`175`	`+ # Make path absolute, resolving any symlinks, and check that we are still`
	`176`	`+ # inside the repository`
	`177`	`+ full_ref_path = Path(repodir, str(ref_path)).resolve()`
	`178`	`+ if Path(repodir).resolve() not in full_ref_path.parents:`
	`179`	`+ raise ValueError(f"Reference at {full_ref_path} is outside the repo directory")`
	`180`	`+`
	`181`	`+ with open(full_ref_path, "rt", encoding="UTF-8") as fp:`
`175`	`182`	`value = fp.read().rstrip()`
`176`	`183`	`# Don't only split on spaces, but on whitespace, which allows to parse lines like`
`177`	`184`	`# 60b64ef992065e2600bfef6187a97f92398a9144 branch 'master' of git-server:/path/to/repo`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit a56113e

File tree

1 file changed

1 file changed

`‎git/refs/symbolic.py`

0 commit comments