Skip to content

Commit

Permalink
Ensure Git parameters are safe
Browse files Browse the repository at this point in the history
  • Loading branch information
sdispater committed Sep 16, 2021
1 parent 37deae6 commit cc84be6
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 1 deletion.
20 changes: 19 additions & 1 deletion poetry/core/vcs/git.py
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,11 @@
]


class GitError(RuntimeError):

pass


class ParsedUrl:
def __init__(
self,
Expand Down Expand Up @@ -243,7 +248,9 @@ def config(self) -> GitConfig:
return self._config

def clone(self, repository: str, dest: Path) -> str:
return self.run("clone", "--recurse-submodules", repository, str(dest))
self._check_parameter(repository)

return self.run("clone", "--recurse-submodules", "--", repository, str(dest))

def checkout(self, rev: str, folder: Optional[Path] = None) -> str:
args = []
Expand All @@ -258,6 +265,8 @@ def checkout(self, rev: str, folder: Optional[Path] = None) -> str:
folder.as_posix(),
]

self._check_parameter(rev)

args += ["checkout", rev]

return self.run(*args)
Expand All @@ -267,6 +276,8 @@ def rev_parse(self, rev: str, folder: Optional[Path] = None) -> str:
if folder is None and self._work_dir:
folder = self._work_dir

self._check_parameter(rev)

# We need "^0" (an alternative to "^{commit}") to ensure that the
# commit SHA of the commit the tag points to is returned, even in
# the case of annotated tags.
Expand Down Expand Up @@ -337,3 +348,10 @@ def run(self, *args: Any, **kwargs: Any) -> str:
.decode()
.strip()
)

def _check_parameter(self, parameter: str) -> str:
"""
Checks a git parameter to avoid unwanted code execution.
"""
if parameter.strip().startswith("-"):
raise GitError(f"Invalid Git parameter: {parameter}")
18 changes: 18 additions & 0 deletions tests/vcs/test_vcs.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
from pathlib import Path

import pytest

from poetry.core.vcs.git import Git
from poetry.core.vcs.git import GitError
from poetry.core.vcs.git import GitUrl
from poetry.core.vcs.git import ParsedUrl

Expand Down Expand Up @@ -348,3 +351,18 @@ def test_parse_url_should_fail():

with pytest.raises(ValueError):
ParsedUrl.parse(url)


def test_git_clone_raises_error_on_invalid_repository():
with pytest.raises(GitError):
Git().clone("-u./payload", Path("foo"))


def test_git_checkout_raises_error_on_invalid_repository():
with pytest.raises(GitError):
Git().checkout("-u./payload")


def test_git_rev_parse_raises_error_on_invalid_repository():
with pytest.raises(GitError):
Git().rev_parse("-u./payload")

0 comments on commit cc84be6

Please sign in to comment.