For f-droid.org, we build thousands of Android apps from git repos. To reduce our attack surface and work towards "least authority", we use a custom Git wrapper that locks down a lot of things that we never need, and have a higher risk of vulnerabilities. I would like to rework this to be a part of GitPython. So I'm opening this issue to see if this is something that the GitPython maintainers would be interested in merging.

I'm open on the API, it could be something like this:

git_repo=git.repo.Repo('.',safe=True)

The goal would be then that all invocations of Git would include these kinds options:

core.askpass = /bin/truecore.hooksPath = /dev/nullprotocol.allow = neverprotocol.https.allow = alwayscore.sshCommand = /bin/falseurl.https://.insteadOf = ssh://

And run with these env vars:

GIT_TERMINAL_PROMPT=0GIT_ASKPASS=/bin/trueSSH_ASKPASS=/bin/trueGIT_SSH=/bin/false# for git < 2.3

This then hopefully only allows unauthenticated access to HTTPS repos, and prevents the execution of any command besidesgit. This would eliminate risks like these:

• GHSA-2mqj-m65w-jghx
• https://stackoverflow.com/questions/74200395/is-it-dangerous-to-open-or-clone-a-git-repository-from-an-untrusted-source
• GHSA-vm9j-46j9-qvq4
• https://git-scm.com/docs/git#_security
• https://github.blog/open-source/git/securing-git-addressing-5-new-vulnerabilities/
• https://nvd.nist.gov/vuln/detail/CVE-2017-1000117