@@ -1180,3 +1180,29 @@ def test_do_not_strip_newline_in_stdout(self, rw_dir):
11801180r .git .add (Git .polish_url (fp ))
11811181r .git .commit (message = "init" )
11821182self .assertEqual (r .git .show ("HEAD:hello.txt" ,strip_newline_in_stdout = False ),"hello\n " )
1183+
1184+ @with_rw_repo ("HEAD" )
1185+ def test_clone_command_injection (self ,rw_repo ):
1186+ tmp_dir = pathlib .Path (tempfile .mkdtemp ())
1187+ unexpected_file = tmp_dir / "pwn"
1188+ assert not unexpected_file .exists ()
1189+
1190+ payload = f"--upload-pack=touch{ unexpected_file }
1191+ rw_repo .clone (payload )
1192+
1193+ assert not unexpected_file .exists ()
1194+ # A repo was cloned with the payload as name
1195+ assert pathlib .Path (payload ).exists ()
1196+
1197+ @with_rw_repo ("HEAD" )
1198+ def test_clone_from_command_injection (self ,rw_repo ):
1199+ tmp_dir = pathlib .Path (tempfile .mkdtemp ())
1200+ temp_repo = Repo .init (tmp_dir / "repo" )
1201+ unexpected_file = tmp_dir / "pwn"
1202+
1203+ assert not unexpected_file .exists ()
1204+ payload = f"--upload-pack=touch{ unexpected_file }
1205+ with self .assertRaises (GitCommandError ):
1206+ rw_repo .clone_from (payload ,temp_repo .common_dir )
1207+
1208+ assert not unexpected_file .exists ()