prevent out-of-repo access when manipulating references. by Byron · Pull Request #2134 · gitpython-developers/GitPython · GitHub
Skip to content

prevent out-of-repo access when manipulating references. #2134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Byron merged 2 commits into from
Apr 28, 2026
+164 −11
Merged

prevent out-of-repo access when manipulating references. #2134

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
25ba54d
prevent out-of-repo access when manipulating references.
codex Apr 28, 2026
4af8463
address review feedback and CI failures
codex Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions git/refs/log.py
View file
Open in desktop
7 changes: 5 additions & 2 deletions git/refs/remote.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,17 +58,20 @@ def delete(cls, repo: "Repo", *refs: "RemoteReference", **kwargs: Any) -> None:
`kwargs` are given for comparability with the base class method as we
should not narrow the signature.
"""
for ref in refs:
cls._check_ref_name_valid(ref.path)

repo.git.branch("-d", "-r", *refs)
# The official deletion method will ignore remote symbolic refs - these are
# generally ignored in the refs/ folder. We don't though and delete remainders
# manually.
for ref in refs:
try:
os.remove(os.path.join(repo.common_dir, ref.path))
os.remove(cls._get_validated_path(repo.common_dir, ref.path))
except OSError:
pass
try:
os.remove(os.path.join(repo.git_dir, ref.path))
os.remove(cls._get_validated_path(repo.git_dir, ref.path))
except OSError:
pass
# END for each ref
Expand Down
37 changes: 31 additions & 6 deletions git/refs/symbolic.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,32 @@ def name(self) -> str:
def abspath(self) -> PathLike:
return join_path_native(_git_dir(self.repo, self.path), self.path)

@staticmethod
def _get_validated_path(base: PathLike, path: PathLike) -> str:
path = os.fspath(path)
base_path = os.path.realpath(os.fspath(base))
abs_path = os.path.realpath(os.path.join(base_path, path))
try:
common_path = os.path.commonpath([base_path, abs_path])
except ValueError as e:
raise ValueError("Reference path %r escapes the repository" % path) from e
if os.path.normcase(common_path) != os.path.normcase(base_path):
raise ValueError("Reference path %r escapes the repository" % path)
Comment thread
Byron marked this conversation as resolved.
return abs_path

@classmethod
def _get_validated_ref_path(cls, repo: "Repo", path: PathLike) -> str:
"""Return the absolute filesystem path for a ref after validating it."""
cls._check_ref_name_valid(path)
ref_path = os.fspath(path)
return cls._get_validated_path(_git_dir(repo, ref_path), ref_path)

@classmethod
def _get_validated_reflog_path(cls, repo: "Repo", path: PathLike) -> str:
"""Return the absolute filesystem path for a reflog after validating it."""
cls._check_ref_name_valid(path)
return cls._get_validated_path(os.path.join(repo.git_dir, "logs"), path)

@classmethod
def _get_packed_refs_path(cls, repo: "Repo") -> str:
return os.path.join(repo.common_dir, "packed-refs")
Expand Down Expand Up @@ -485,7 +511,7 @@ def set_reference(
# END handle non-existing
# END retrieve old hexsha

fpath = self.abspath
fpath = self._get_validated_ref_path(self.repo, self.path)
assure_directory_exists(fpath, is_file=True)

lfd = LockedFD(fpath)
Expand Down Expand Up @@ -632,7 +658,7 @@ def delete(cls, repo: "Repo", path: PathLike) -> None:
Alternatively the symbolic reference to be deleted.
"""
full_ref_path = cls.to_full_path(path)
abs_path = os.path.join(repo.common_dir, full_ref_path)
abs_path = cls._get_validated_ref_path(repo, full_ref_path)
if os.path.exists(abs_path):
os.remove(abs_path)
else:
Expand Down Expand Up @@ -695,9 +721,8 @@ def _create(
symbolic reference. Otherwise it will be resolved to the corresponding object
and a detached symbolic reference will be created instead.
"""
git_dir = _git_dir(repo, path)
full_ref_path = cls.to_full_path(path)
abs_ref_path = os.path.join(git_dir, full_ref_path)
abs_ref_path = cls._get_validated_ref_path(repo, full_ref_path)

# Figure out target data.
target = reference
Expand Down Expand Up @@ -789,8 +814,8 @@ def rename(self, new_path: PathLike, force: bool = False) -> "SymbolicReference"
if self.path == new_path:
return self

new_abs_path = os.path.join(_git_dir(self.repo, new_path), new_path)
cur_abs_path = os.path.join(_git_dir(self.repo, self.path), self.path)
new_abs_path = self._get_validated_ref_path(self.repo, new_path)
cur_abs_path = self._get_validated_ref_path(self.repo, self.path)
if os.path.isfile(new_abs_path):
if not force:
# If they point to the same file, it's not an error.
Expand Down
2 changes: 1 addition & 1 deletion git/util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ def join_path(a: PathLike, *p: PathLike) -> PathLike:

if sys.platform == "win32":

def to_native_path_windows(path: PathLike) -> PathLike:
def to_native_path_windows(path: PathLike) -> str:
path = os.fspath(path)
return path.replace("/", "\\")

Expand Down
123 changes: 123 additions & 0 deletions test/test_refs.py
View file
Open in desktop
Loading