CVE-2022-24439 Hand Cherry-Pick GitPython/pull/1521

More unfinished changes

Unfinished changes

Unfinished changes

All code changes should be in, time to test them

Fix things Tox didn't like for Python3

Fix more errors found during testing

Try to fix DDT problem with Python2

Author: rickprice

AUTHORS

@@ -33,5 +33,6 @@ Contributors are:
 -Steven Whitman <ninloot _at_ gmail.com>
 -Stefan Stancu <stefan.stancu _at_ gmail.com>
 -César Izurieta <cesar _at_ caih.org>
+-Santos Gallegos <stsewd _at_ proton.me>
 
 Portions derived from other open source works and are clearly marked.

errortext.txt

@@ -5,6 +5,8 @@
 # the BSD License: http://www.opensource.org/licenses/bsd-license.php
 
 import contextlib
+import re
+
 import io
 import logging
 import os
@@ -32,7 +34,7 @@
     is_posix,
     is_win,
 )
-from git.exc import CommandError
+from git.exc import CommandError, UnsafeOptionError, UnsafeProtocolError
 from git.util import is_cygwin_git, cygpath, expand_path
 
 from .exc import (
@@ -172,9 +174,49 @@ class Git(LazyMixin):
 
     _excluded_ = ('cat_file_all', 'cat_file_header', '_version_info')
 
+    re_unsafe_protocol = re.compile("(.+)::.+")
+
     def __getstate__(self):
         return slots_to_dict(self, exclude=self._excluded_)
 
+    @classmethod
+    def check_unsafe_protocols(cls, url):
+        """
+        Check for unsafe protocols.
+        Apart from the usual protocols (http, git, ssh),
+        Git allows "remote helpers" that have the form `<transport>::<address>`,
+        one of these helpers (`ext::`) can be used to invoke any arbitrary command.
+        See:
+        - https://git-scm.com/docs/gitremote-helpers
+        - https://git-scm.com/docs/git-remote-ext
+        """
+        match = cls.re_unsafe_protocol.match(url)
+        if match:
+            protocol = match.group(1)
+            raise UnsafeProtocolError(
+                "The `" + protocol + "::` protocol looks suspicious, use `allow_unsafe_protocols=True` to allow it."
+            )
+
+    @classmethod
+    def check_unsafe_options(cls, options, unsafe_options):
+        """
+        Check for unsafe options.
+        Some options that are passed to `git <command>` can be used to execute
+        arbitrary commands, this are blocked by default.
+        """
+        # Options can be of the form `foo` or `--foo bar` `--foo=bar`,
+        # so we need to check if they start with "--foo" or if they are equal to "foo".
+        bare_unsafe_options = [
+            option.lstrip("-")
+            for option in unsafe_options
+        ]
+        for option in options:
+            for unsafe_option, bare_option in zip(unsafe_options, bare_unsafe_options):
+                if option.startswith(unsafe_option) or option == bare_option:
+                    raise UnsafeOptionError(
+                        unsafe_option +" is not allowed, use `allow_unsafe_options=True` to allow it."
+                    )
+
     def __setstate__(self, d):
         dict_to_slots_and__excluded_are_none(self, d, excluded=self._excluded_)
 
@@ -1089,7 +1131,7 @@ def get_object_data(self, ref):
         :note: not threadsafe"""
         hexsha, typename, size, stream = self.stream_object_data(ref)
         data = stream.read(size)
-        del(stream)
+        del (stream)
         return (hexsha, typename, size, data)
 
     def stream_object_data(self, ref):

git/cmd.py

@@ -25,6 +25,14 @@ class NoSuchPathError(GitError, OSError):
     """ Thrown if a path could not be access by the system. """
 
 
+class UnsafeProtocolError(GitError):
+    """Thrown if unsafe protocols are passed without being explicitly allowed."""
+
+
+class UnsafeOptionError(GitError):
+    """Thrown if unsafe options are passed without being explicitly allowed."""
+
+
 class CommandError(UnicodeMixin, GitError):
     """Base class for exceptions thrown at every stage of `Popen()` execution.