Commit2ab2ea9

committed

safe mode to disable executing any external programs except git

1 parentbf51609 commit2ab2ea9Copy full SHA for 2ab2ea9

File tree

2 files changed

+86

-6

lines changed

git
- cmd.py
- repo
  - base.py

2 files changed

+86

-6

lines changed

`‎git/cmd.py‎`

Lines changed: 51 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -398,6 +398,7 @@ class Git(metaclass=_GitMeta):`
`398`	`398`
`399`	`399`	`__slots__= (`
`400`	`400`	`"_working_dir",`
	`401`	`+"_safe",`
`401`	`402`	`"cat_file_all",`
`402`	`403`	`"cat_file_header",`
`403`	`404`	`"_version_info",`
`@@ -944,17 +945,20 @@ def __del__(self) -> None:`
`944`	`945`	`self._stream.read(bytes_left+1)`
`945`	`946`	`# END handle incomplete read`
`946`	`947`
`947`		`-def__init__(self,working_dir:Union[None,PathLike]=None)->None:`
	`948`	`+def__init__(self,working_dir:Union[None,PathLike]=None,safe:bool=False)->None:`
`948`	`949`	`"""Initialize this instance with:`
`949`	`950`
`950`	`951`	`:param working_dir:`
`951`	`952`	Git directory we should work in. If ``None``, we always work in the current
`952`	`953`	directory as returned by :func:`os.getcwd`.
`953`	`954`	`This is meant to be the working tree directory if available, or the`
`954`	`955`	``.git`` directory in case of bare repositories.
	`956`	`+`
	`957`	`+ TODO :param safe:`
`955`	`958`	`"""`
`956`	`959`	`super().__init__()`
`957`	`960`	`self._working_dir=expand_path(working_dir)`
	`961`	`+self._safe=safe`
`958`	`962`	`self._git_options:Union[List[str],Tuple[str, ...]]= ()`
`959`	`963`	`self._persistent_git_options:List[str]= []`
`960`	`964`
`@@ -1205,6 +1209,43 @@ def execute(`
`1205`	`1209`	`If you add additional keyword arguments to the signature of this method, you`
`1206`	`1210`	must update the ``execute_kwargs`` variable housed in this module.
`1207`	`1211`	`"""`
	`1212`	`+ifself._safe:`
	`1213`	`+ifisinstance(command,str):`
	`1214`	`+command= [command]`
	`1215`	`+config_args= [`
	`1216`	`+"-c",`
	`1217`	`+"core.askpass=/bin/true",`
	`1218`	`+"-c",`
	`1219`	`+"core.fsmonitor=false",`
	`1220`	`+"-c",`
	`1221`	`+"core.hooksPath=/dev/null",`
	`1222`	`+"-c",`
	`1223`	`+"core.sshCommand=/bin/true",`
	`1224`	`+"-c",`
	`1225`	`+"credential.helper=/bin/true",`
	`1226`	`+"-c",`
	`1227`	`+"http.emptyAuth=true",`
	`1228`	`+"-c",`
	`1229`	`+"protocol.allow=never",`
	`1230`	`+"-c",`
	`1231`	`+"protocol.https.allow=always",`
	`1232`	`+"-c",`
	`1233`	`+"url.https://bitbucket.org/.insteadOf=git@bitbucket.org:",`
	`1234`	`+"-c",`
	`1235`	`+"url.https://codeberg.org/.insteadOf=git@codeberg.org:",`
	`1236`	`+"-c",`
	`1237`	`+"url.https://github.com/.insteadOf=git@github.com:",`
	`1238`	`+"-c",`
	`1239`	`+"url.https://gitlab.com/.insteadOf=git@gitlab.com:",`
	`1240`	`+"-c",`
	`1241`	`+"url.https://.insteadOf=git://",`
	`1242`	`+"-c",`
	`1243`	`+"url.https://.insteadOf=http://",`
	`1244`	`+"-c",`
	`1245`	`+"url.https://.insteadOf=ssh://",`
	`1246`	`+ ]`
	`1247`	`+command= [command.pop(0)]+config_args+command`
	`1248`	`+`
`1208`	`1249`	`# Remove password for the command if present.`
`1209`	`1250`	`redacted_command=remove_password_if_present(command)`
`1210`	`1251`	`ifself.GIT_PYTHON_TRACEand (self.GIT_PYTHON_TRACE!="full"oras_process):`
`@@ -1227,6 +1268,15 @@ def execute(`
`1227`	`1268`	`# just to be sure.`
`1228`	`1269`	`env["LANGUAGE"]="C"`
`1229`	`1270`	`env["LC_ALL"]="C"`
	`1271`	`+# Globally disable things that can execute commands, including password prompts.`
	`1272`	`+ifself._safe:`
	`1273`	`+env["GIT_ASKPASS"]="/bin/true"`
	`1274`	`+env["GIT_EDITOR"]="/bin/true"`
	`1275`	`+env["GIT_PAGER"]="/bin/true"`
	`1276`	`+env["GIT_SSH"]="/bin/true"`
	`1277`	`+env["GIT_SSH_COMMAND"]="/bin/true"`
	`1278`	`+env["GIT_TERMINAL_PROMPT"]="false"`
	`1279`	`+env["SSH_ASKPASS"]="/bin/true"`
`1230`	`1280`	`env.update(self._environment)`
`1231`	`1281`	`ifinline_envisnotNone:`
`1232`	`1282`	`env.update(inline_env)`

`‎git/repo/base.py‎`

Lines changed: 35 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,9 @@ class Repo:`
`131`	`131`	`git_dir:PathLike`
`132`	`132`	"""The ``.git`` repository directory."""
`133`	`133`
	`134`	`+safe:None`
	`135`	`+"""Whether this is operating using restricted protocol and execution access."""`
	`136`	`+`
`134`	`137`	`_common_dir:PathLike=""`
`135`	`138`
`136`	`139`	`# Precompiled regex`
`@@ -175,6 +178,7 @@ def __init__(`
`175`	`178`	`odbt:Type[LooseObjectDB]=GitCmdObjectDB,`
`176`	`179`	`search_parent_directories:bool=False,`
`177`	`180`	`expand_vars:bool=True,`
	`181`	`+safe:bool=False,`
`178`	`182`	`)->None:`
`179`	`183`	R"""Create a new :class:`Repo` instance.
`180`	`184`
`@@ -204,6 +208,17 @@ def __init__(`
`204`	`208`	`Please note that this was the default behaviour in older versions of`
`205`	`209`	`GitPython, which is considered a bug though.`
`206`	`210`
	`211`	`+ :param safe:`
	`212`	`+ Lock down the configuration to make it as safe as possible`
	`213`	`+ when working with publicly accessible, untrusted`
	`214`	`+ repositories. This disables all known options that can run`
	`215`	`+ an external program and limits networking to the HTTP`
	`216`	`+ protocol via https:// URLs. This might not cover Git config`
	`217`	`+ options that were added since this was implemented, or`
	`218`	`+ options that might have unknown exploit vectors. It is a`
	`219`	`+ best effort defense rather than an exhaustive protection`
	`220`	`+ measure.`
	`221`	`+`
`207`	`222`	`:raise git.exc.InvalidGitRepositoryError:`
`208`	`223`
`209`	`224`	`:raise git.exc.NoSuchPathError:`
`@@ -235,6 +250,8 @@ def __init__(`
`235`	`250`	`ifnotos.path.exists(epath):`
`236`	`251`	`raiseNoSuchPathError(epath)`
`237`	`252`
	`253`	`+self.safe=safe`
	`254`	`+`
`238`	`255`	# Walk up the path to find the `.git` dir.
`239`	`256`	`curpath=epath`
`240`	`257`	`git_dir=None`
`@@ -309,7 +326,7 @@ def __init__(`
`309`	`326`	`# END working dir handling`
`310`	`327`
`311`	`328`	`self.working_dir:PathLike=self._working_tree_dirorself.common_dir`
`312`		`-self.git=self.GitCommandWrapperType(self.working_dir)`
	`329`	`+self.git=self.GitCommandWrapperType(self.working_dir,safe)`
`313`	`330`
`314`	`331`	`# Special handling, in special times.`
`315`	`332`	`rootpath=osp.join(self.common_dir,"objects")`
`@@ -1305,6 +1322,7 @@ def init(`
`1305`	`1322`	`mkdir:bool=True,`
`1306`	`1323`	`odbt:Type[GitCmdObjectDB]=GitCmdObjectDB,`
`1307`	`1324`	`expand_vars:bool=True,`
	`1325`	`+safe:bool=False,`
`1308`	`1326`	`**kwargs:Any,`
`1309`	`1327`	`)->"Repo":`
`1310`	`1328`	`"""Initialize a git repository at the given path if specified.`
`@@ -1329,6 +1347,8 @@ def init(`
`1329`	`1347`	`information disclosure, allowing attackers to access the contents of`
`1330`	`1348`	`environment variables.`
`1331`	`1349`
	`1350`	`+ TODO :param safe:`
	`1351`	`+`
`1332`	`1352`	`:param kwargs:`
`1333`	`1353`	`Keyword arguments serving as additional options to the`
`1334`	`1354`	:manpage:`git-init(1)` command.
`@@ -1342,9 +1362,9 @@ def init(`
`1342`	`1362`	`os.makedirs(path,0o755)`
`1343`	`1363`
`1344`	`1364`	`# git command automatically chdir into the directory`
`1345`		`-git=cls.GitCommandWrapperType(path)`
	`1365`	`+git=cls.GitCommandWrapperType(path,safe)`
`1346`	`1366`	`git.init(**kwargs)`
`1347`		`-returncls(path,odbt=odbt)`
	`1367`	`+returncls(path,odbt=odbt,safe=safe)`
`1348`	`1368`
`1349`	`1369`	`@classmethod`
`1350`	`1370`	`def_clone(`
`@@ -1357,6 +1377,7 @@ def _clone(`
`1357`	`1377`	`multi_options:Optional[List[str]]=None,`
`1358`	`1378`	`allow_unsafe_protocols:bool=False,`
`1359`	`1379`	`allow_unsafe_options:bool=False,`
	`1380`	`+safe:Union[bool,None]=None,`
`1360`	`1381`	`**kwargs:Any,`
`1361`	`1382`	`)->"Repo":`
`1362`	`1383`	`odbt=kwargs.pop("odbt",odb_default_type)`
`@@ -1418,7 +1439,11 @@ def _clone(`
`1418`	`1439`	`ifnotosp.isabs(path):`
`1419`	`1440`	`path=osp.join(git._working_dir,path)ifgit._working_dirisnotNoneelsepath`
`1420`	`1441`
`1421`		`-repo=cls(path,odbt=odbt)`
	`1442`	`+# if safe is not explicitly defined, then the new Repo instance should inherit the safe value`
	`1443`	`+ifsafeisNone:`
	`1444`	`+safe=git._safe`
	`1445`	`+`
	`1446`	`+repo=cls(path,odbt=odbt,safe=safe)`
`1422`	`1447`
`1423`	`1448`	`# Retain env values that were passed to _clone().`
`1424`	`1449`	`repo.git.update_environment(**git.environment())`
`@@ -1501,6 +1526,7 @@ def clone_from(`
`1501`	`1526`	`multi_options:Optional[List[str]]=None,`
`1502`	`1527`	`allow_unsafe_protocols:bool=False,`
`1503`	`1528`	`allow_unsafe_options:bool=False,`
	`1529`	`+safe:bool=False,`
`1504`	`1530`	`**kwargs:Any,`
`1505`	`1531`	`)->"Repo":`
`1506`	`1532`	`"""Create a clone from the given URL.`
`@@ -1531,13 +1557,16 @@ def clone_from(`
`1531`	`1557`	`:param allow_unsafe_options:`
`1532`	`1558`	Allow unsafe options to be used, like ``--upload-pack``.
`1533`	`1559`
	`1560`	`+ :param safe:`
	`1561`	`+ TODO`
	`1562`	`+`
`1534`	`1563`	`:param kwargs:`
`1535`	`1564`	See the :meth:`clone` method.
`1536`	`1565`
`1537`	`1566`	`:return:`
`1538`	`1567`	:class:`Repo` instance pointing to the cloned directory.
`1539`	`1568`	`"""`
`1540`		`-git=cls.GitCommandWrapperType(os.getcwd())`
	`1569`	`+git=cls.GitCommandWrapperType(os.getcwd(),safe)`
`1541`	`1570`	`ifenvisnotNone:`
`1542`	`1571`	`git.update_environment(**env)`
`1543`	`1572`	`returncls._clone(`
`@@ -1549,6 +1578,7 @@ def clone_from(`
`1549`	`1578`	`multi_options,`
`1550`	`1579`	`allow_unsafe_protocols=allow_unsafe_protocols,`
`1551`	`1580`	`allow_unsafe_options=allow_unsafe_options,`
	`1581`	`+safe=safe,`
`1552`	`1582`	`**kwargs,`
`1553`	`1583`	`)`
`1554`	`1584`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit2ab2ea9

File tree

2 files changed

2 files changed

`‎git/cmd.py‎`

`‎git/repo/base.py‎`

0 commit comments