File tree Expand file tree Collapse file tree 1 file changed +14
-0
lines changed Expand file tree Collapse file tree 1 file changed +14
-0
lines changed Original file line number Diff line number Diff line change 55# the BSD License: http://www.opensource.org/licenses/bsd-license.php
66
77from itertools import chain
8+ from pathlib import Path
89
910from git import (
1011 Reference ,
2021from git .objects .tag import TagObject
2122from test .lib import TestBase , with_rw_repo
2223from git .util import Actor
24+ from gitdb .exc import BadName
2325
2426import git .refs as refs
2527import os .path as osp
28+ import tempfile
2629
2730
2831class TestRefs (TestBase ):
@@ -616,3 +619,14 @@ def test_dereference_recursive(self):
616619
617620 def test_reflog (self ):
618621 assert isinstance (self .rorepo .heads .master .log (), RefLog )
622+
623+ def test_refs_outside_repo (self ):
624+ # Create a file containing a valid reference outside the repository. Attempting
625+ # to access it should raise an exception. This tests for CVE-2023-41040.
626+ git_dir = Path (self .rorepo .git_dir )
627+ repo_parent_dir = git_dir .parent .parent
628+ with tempfile .NamedTemporaryFile (dir = repo_parent_dir ) as ref_file :
629+ ref_file .write (b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe" )
630+ ref_file .flush ()
631+ ref_file_name = Path (ref_file .name ).name
632+ self .assertRaises (BadName , self .rorepo .commit , f"../../{ ref_file_name } )
You can’t perform that action at this time.
0 commit comments