Commit94e0fb0

committed

Add a unit test forCVE-2023-40590

This adds test_it_executes_git_not_from_cwd to verify that theexecute method does not use "git.exe" in the current directory onWindows, nor "git" in the current directory on Unix-like systems,when those files are executable.It adds a _chdir helper context manager to support this, becausecontextlib.chdir is only available on Python 3.11 and later.

1 parent6029211 commit94e0fb0Copy full SHA for 94e0fb0

File tree

1 file changed

+31

-1

lines changed

test
- test_git.py

1 file changed

+31

-1

lines changed

`‎test/test_git.py`

Lines changed: 31 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,10 +4,12 @@`
`4`	`4`	`#`
`5`	`5`	`# This module is part of GitPython and is released under`
`6`	`6`	`# the BSD License: http://www.opensource.org/licenses/bsd-license.php`
	`7`	`+importcontextlib`
`7`	`8`	`importos`
	`9`	`+importshutil`
`8`	`10`	`importsubprocess`
`9`	`11`	`importsys`
`10`		`-fromtempfileimportTemporaryFile`
	`12`	`+fromtempfileimportTemporaryDirectory,TemporaryFile`
`11`	`13`	`fromunittestimportmock`
`12`	`14`
`13`	`15`	`fromgitimportGit,refresh,GitCommandError,GitCommandNotFound,Repo,cmd`
`@@ -20,6 +22,17 @@`
`20`	`22`	`fromgit.compatimportis_win`
`21`	`23`
`22`	`24`
	`25`	`+@contextlib.contextmanager`
	`26`	`+def_chdir(new_dir):`
	`27`	`+"""Context manager to temporarily change directory. Not reentrant."""`
	`28`	`+old_dir=os.getcwd()`
	`29`	`+os.chdir(new_dir)`
	`30`	`+try:`
	`31`	`+yield`
	`32`	`+finally:`
	`33`	`+os.chdir(old_dir)`
	`34`	`+`
	`35`	`+`
`23`	`36`	`classTestGit(TestBase):`
`24`	`37`	`@classmethod`
`25`	`38`	`defsetUpClass(cls):`
`@@ -75,6 +88,23 @@ def test_it_transforms_kwargs_into_git_command_arguments(self):`
`75`	`88`	`deftest_it_executes_git_to_shell_and_returns_result(self):`
`76`	`89`	`self.assertRegex(self.git.execute(["git","version"]),r"^git version [\d\.]{2}.*$")`
`77`	`90`
	`91`	`+deftest_it_executes_git_not_from_cwd(self):`
	`92`	`+withTemporaryDirectory()astmpdir:`
	`93`	`+ifis_win:`
	`94`	`+# Copy an actual binary executable that is not git.`
	`95`	`+other_exe_path=os.path.join(os.getenv("WINDIR"),"system32","hostname.exe")`
	`96`	`+impostor_path=os.path.join(tmpdir,"git.exe")`
	`97`	`+shutil.copy(other_exe_path,impostor_path)`
	`98`	`+else:`
	`99`	`+# Create a shell script that doesn't do anything.`
	`100`	`+impostor_path=os.path.join(tmpdir,"git")`
	`101`	`+withopen(impostor_path,mode="w",encoding="utf-8")asfile:`
	`102`	`+print("#!/bin/sh",file=file)`
	`103`	`+os.chmod(impostor_path,0o755)`
	`104`	`+`
	`105`	`+with_chdir(tmpdir):`
	`106`	`+self.assertRegex(self.git.execute(["git","version"]),r"^git version [\d\.]{2}.*$")`
	`107`	`+`
`78`	`108`	`deftest_it_accepts_stdin(self):`
`79`	`109`	`filename=fixture_path("cat_file_blob")`
`80`	`110`	`withopen(filename,"r")asfh:`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit94e0fb0

File tree

1 file changed

1 file changed

`‎test/test_git.py`

0 commit comments