delta/python-packages/gitpython.git/git, branch 3.1.30

Merge pull request #1521 from stsewd/block-insecure-options

2022-12-29T07:09:28+00:00

Block insecure options and protocols by default

Fix type hint on create_tag

2022-12-29T07:06:10+00:00

pycharm yells at me without this

Document PushInfoList

2022-12-29T07:05:02+00:00

More tests

2022-12-28T00:15:40+00:00

Updates from review

2022-12-27T21:56:43+00:00

Block unsafe options and protocols by default

2022-12-24T01:40:06+00:00

Forbid unsafe protocol URLs in Repo.clone{,_from}()

2022-12-23T21:16:21+00:00

Since the URL is passed directly to git clone, and the remote-ext helper
will happily execute shell commands, so by default disallow URLs that
contain a "::" unless a new unsafe_protocols kwarg is passed.
(CVE-2022-24439)

Fixes #1515

Fix command injection

2022-12-21T03:04:06+00:00

Add `--` in some commands that receive user input
and if interpreted as options could lead to remote
code execution (RCE).

There may be more commands that could benefit from `--`
so the input is never interpreted as an option,
but most of those aren't dangerous.

Fixed commands:

- push
- pull
- fetch
- clone/clone_from and friends
- archive (not sure if this one can be exploited, but it doesn't hurt
  adding `--` :))

For anyone using GitPython and exposing any of the GitPython methods to users,
make sure to always validate the input (like if starts with `--`).
And for anyone allowing users to pass arbitrary options, be aware
that some options may lead fo RCE, like `--exc`, `--upload-pack`,
`--receive-pack`, `--config` (https://github.com/gitpython-developers/GitPython/pull/1516).

Ref https://github.com/gitpython-developers/GitPython/issues/1517

fix CI by allowing the file protocol as well.

2022-11-28T14:18:41+00:00

Add datetime.datetime type to commit_date and author_date

2022-10-13T17:12:57+00:00