prevent out-of-repo access when manipulating references.#2134
Merged
Conversation
This previously made it possible to create, modify and delete files outside outside of the repository, which is a problem if inputs aren't trusted. Co-authored-by: Sebastian Thiel <sebastian.thiel@icloud.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens ref/reflog filesystem path handling to prevent path traversal and other escapes that could otherwise write, rename, or delete files outside the repository’s git directories when ref inputs are untrusted.
Changes:
- Add validated path resolution (
realpath+commonpath) for ref and reflog paths to ensure they stay within the repo’s git/common dirs. - Use validated ref paths in
SymbolicReferenceoperations (create/set/delete/rename) and inRemoteReference.delete. - Add regression tests to ensure path traversal attempts are rejected.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
git/refs/symbolic.py |
Introduces validated path helpers and applies them to ref file operations. |
git/refs/remote.py |
Validates remote ref paths and uses validated filesystem paths when deleting ref files. |
git/refs/log.py |
Uses validated reflog path construction. |
test/test_refs.py |
Adds regression tests ensuring path traversal is rejected for various ref operations. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
e90b57c to
44e8cc5
Compare
44e8cc5 to
38f91f0
Compare
38f91f0 to
8c6d5ee
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
8c6d5ee to
c57e127
Compare
Member
Author
|
On Byron's behalf: Review pass on the latest Copilot comments:
|
Consolidate follow-up fixes from review and CI: - fix lint and mypy issues in reference log path handling - validate remote reference paths before invoking git branch deletion - add symlink escape coverage where realpath resolves symlinks - ensure temporary test repositories release git resources during cleanup Co-authored-by: Sebastian Thiel <sebastian.thiel@icloud.com>
c57e127 to
4af8463
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This previously made it possible to create, modify and delete files outside outside of the repository, which is a problem if inputs aren't trusted.
Tasks