Fix CVE-2023-41040

facutuesca · facutuesca · commit b2d3d01c8b2e · 2023-09-05T09:51:58.000+02:00
This change adds a check during reference resolving to see if the requested reference is inside the current repository folder. If it's ouside, it raises an exception. This fixes CVE-2023-41040, which allows an attacker to access files outside the repository's directory.
diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
@@ -1,4 +1,5 @@
 from git.types import PathLike
+from pathlib import Path
 import os
 
 from git.compat import defenc
@@ -171,7 +172,13 @@ def _get_ref_info_helper(
         tokens: Union[None, List[str], Tuple[str, str]] = None
         repodir = _git_dir(repo, ref_path)
         try:
-            with open(os.path.join(repodir, str(ref_path)), "rt", encoding="UTF-8") as fp:
+            # Make path absolute, resolving any symlinks, and check that we are still
+            # inside the repository
+            full_ref_path = Path(repodir, str(ref_path)).resolve(strict=True)
+            if Path(repodir) not in full_ref_path.parents:
+                raise ValueError(f"Reference at {full_ref_path} is outside the repo directory")
+
+            with open(full_ref_path, "rt", encoding="UTF-8") as fp:
                 value = fp.read().rstrip()
             # Don't only split on spaces, but on whitespace, which allows to parse lines like
             # 60b64ef992065e2600bfef6187a97f92398a9144                branch 'master' of git-server:/path/to/repo
