|
5 | 5 | # the BSD License: http://www.opensource.org/licenses/bsd-license.php |
6 | 6 |
|
7 | 7 | fromitertoolsimportchain |
| 8 | +frompathlibimportPath |
8 | 9 |
|
9 | 10 | fromgitimport ( |
10 | 11 | Reference, |
|
20 | 21 | fromgit.objects.tagimportTagObject |
21 | 22 | fromtest.libimportTestBase,with_rw_repo |
22 | 23 | fromgit.utilimportActor |
| 24 | +fromgitdb.excimportBadName |
23 | 25 |
|
24 | 26 | importgit.refsasrefs |
25 | 27 | importos.pathasosp |
| 28 | +importtempfile |
26 | 29 |
|
27 | 30 |
|
28 | 31 | classTestRefs(TestBase): |
@@ -616,3 +619,15 @@ def test_dereference_recursive(self): |
616 | 619 |
|
617 | 620 | deftest_reflog(self): |
618 | 621 | assertisinstance(self.rorepo.heads.master.log(),RefLog) |
| 622 | + |
| 623 | +deftest_refs_outside_repo(self): |
| 624 | +# Create a file containing a valid reference outside the repository. Attempting |
| 625 | +# to access it should raise an exception, due to it containing a parent directory |
| 626 | +# reference ('..'). This tests for CVE-2023-41040. |
| 627 | +git_dir=Path(self.rorepo.git_dir) |
| 628 | +repo_parent_dir=git_dir.parent.parent |
| 629 | +withtempfile.NamedTemporaryFile(dir=repo_parent_dir)asref_file: |
| 630 | +ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe") |
| 631 | +ref_file.flush() |
| 632 | +ref_file_name=Path(ref_file.name).name |
| 633 | +self.assertRaises(BadName,self.rorepo.commit,f"../../{ref_file_name}") |