From f92f4c3bf902c7fc3887cfd969b3e54f581f18f8 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Sat, 30 Mar 2024 20:16:45 -0400 Subject: [PATCH] Clarify security risk in USE_SHELL doc and warnings --- git/cmd.py | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/git/cmd.py b/git/cmd.py index 42e6e927c..b2829801f 100644 --- a/git/cmd.py +++ b/git/cmd.py @@ -314,10 +314,10 @@ def dict_to_slots_and__excluded_are_none(self: object, d: Mapping[str, Any], exc ) _USE_SHELL_DANGER_MESSAGE = ( - "Setting Git.USE_SHELL to True is unsafe and insecure, and should be avoided, " - "because the effect of shell metacharacters and shell expansions cannot usually be " - "accounted for. In addition, Git.USE_SHELL is deprecated and will be removed in a " - "future release." + "Setting Git.USE_SHELL to True is unsafe and insecure, as the effect of special " + "shell syntax cannot usually be accounted for. This can result in a command " + "injection vulnerability and arbitrary code execution. Git.USE_SHELL is deprecated " + "and will be removed in a future release." ) @@ -413,6 +413,13 @@ def __setstate__(self, d: Dict[str, Any]) -> None: considered and accounted for, which is not possible under most circumstances. As detailed below, it is also no longer needed, even where it had been in the past. + It is in many if not most cases a command injection vulnerability for an application + to set :attr:`USE_SHELL` to ``True``. Any attacker who can cause a specially crafted + fragment of text to make its way into any part of any argument to any git command + (including paths, branch names, etc.) can cause the shell to read and write + arbitrary files and execute arbitrary commands. Innocent input may also accidentally + contain special shell syntax, leading to inadvertent malfunctions. + In addition, how a value of ``True`` interacts with some aspects of GitPython's operation is not precisely specified and may change without warning, even before GitPython 4.0.0 when :attr:`USE_SHELL` may be removed. This includes: