Skip to content

Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4#2131

Merged
Byron merged 3 commits into
gitpython-developers:mainfrom
WesR:main
Apr 22, 2026
Merged

Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4#2131
Byron merged 3 commits into
gitpython-developers:mainfrom
WesR:main

Conversation

@WesR

@WesR WesR commented Apr 21, 2026

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses GHSA-rpm5-65cw-6hj4 by ensuring unsafe git options are blocked even when supplied via underscored kwarg names (e.g., upload_pack), and expands test coverage to prevent regressions.

Changes:

  • Canonicalize option/kwarg names (strip -/--, drop values, convert _-) before performing unsafe-option checks.
  • Extend remote/clone tests to include underscored unsafe kwargs.
  • Add a focused unit test ensuring check_unsafe_options catches multiple normalized forms.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
git/cmd.py Adds option-name canonicalization and uses it to match unsafe options robustly across kwarg/CLI forms.
test/test_remote.py Expands fetch/pull/push unsafe option tests to include underscored kwargs.
test/test_git.py Adds direct unit tests for Git.check_unsafe_options normalization behavior.
test/test_clone.py Expands clone/clone_from unsafe option tests to include underscored kwargs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread git/cmd.py Outdated
Comment thread test/test_remote.py Outdated

@Byron Byron left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot!

This looks good enough to me, but let's wait for Copilot.

Comment thread git/cmd.py Outdated

@Byron Byron left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's address the concerns stated in the auto review.

@WesR

WesR commented Apr 21, 2026

Copy link
Copy Markdown
Contributor Author

Done!

@Byron Byron left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a million!

@Byron Byron merged commit 0f68db0 into gitpython-developers:main Apr 22, 2026
52 of 53 checks passed
736-c41-2c1-e464fc974 pushed a commit to Swiss-Armed-Forces/Loom that referenced this pull request Apr 27, 2026
This MR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [gitpython](https://github.com/gitpython-developers/GitPython) | dev | patch | `3.1.46` → `3.1.47` | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/gitpython-developers/GitPython/badge)](https://securityscorecards.dev/viewer/?uri=github.com/gitpython-developers/GitPython) |

---

### Release Notes

<details>
<summary>gitpython-developers/GitPython (gitpython)</summary>

### [`v3.1.47`](https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47): - with security fixes

[Compare Source](gitpython-developers/GitPython@3.1.46...3.1.47)

#### Advisories

- <GHSA-rpm5-65cw-6hj4>
- <GHSA-x2qx-6953-8485>

#### What's Changed

- Prepare next release by [@&#8203;Byron](https://github.com/Byron) in [#&#8203;2095](gitpython-developers/GitPython#2095)
- Bump git/ext/gitdb from `335c0f6` to `4c63ee6` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2096](gitpython-developers/GitPython#2096)
- DOC: README Add urls and updated a relative url by [@&#8203;Timour-Ilyas](https://github.com/Timour-Ilyas) in [#&#8203;2098](gitpython-developers/GitPython#2098)
- Fix GitConfigParser ignoring multiple \[include] path entries by [@&#8203;daniel7an](https://github.com/daniel7an) in [#&#8203;2100](gitpython-developers/GitPython#2100)
- Switch back from Alpine to Debian for WSL by [@&#8203;EliahKagan](https://github.com/EliahKagan) in [#&#8203;2108](gitpython-developers/GitPython#2108)
- Bump git/ext/gitdb from `4c63ee6` to `5c1b303` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2106](gitpython-developers/GitPython#2106)
- Run `gc.collect()` twice in `test_rename` on Python 3.12 by [@&#8203;EliahKagan](https://github.com/EliahKagan) in [#&#8203;2109](gitpython-developers/GitPython#2109)
- fix: guard AutoInterrupt terminate during interpreter shutdown by [@&#8203;lweyrich1](https://github.com/lweyrich1) in [#&#8203;2105](gitpython-developers/GitPython#2105)
- Improve CI infrastructure for pre-commit by [@&#8203;EliahKagan](https://github.com/EliahKagan) in [#&#8203;2110](gitpython-developers/GitPython#2110)
- Bump the pre-commit group with 5 updates by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2111](gitpython-developers/GitPython#2111)
- Upgrade Sphinx for 3.14 support; drop doc build support on 3.8; test 3.14 by [@&#8203;EliahKagan](https://github.com/EliahKagan) in [#&#8203;2112](gitpython-developers/GitPython#2112)
- Fix `Repo.active_branch` resolution for reftable-backed repositories by [@&#8203;Copilot](https://github.com/Copilot) in [#&#8203;2114](gitpython-developers/GitPython#2114)
- docs: warn about GitDB performance with large commits by [@&#8203;mvanhorn](https://github.com/mvanhorn) in [#&#8203;2115](gitpython-developers/GitPython#2115)
- cmd: fix kwarg formatting in docstring example by [@&#8203;UweSchwaeke](https://github.com/UweSchwaeke) in [#&#8203;2117](gitpython-developers/GitPython#2117)
- Bump <https://github.com/astral-sh/ruff-pre-commit> from v0.15.5 to 0.15.8 in the pre-commit group by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2122](gitpython-developers/GitPython#2122)
- Add trailer support for commit creation by [@&#8203;Krishnachaitanyakc](https://github.com/Krishnachaitanyakc) in [#&#8203;2116](gitpython-developers/GitPython#2116)
- Harden commit trailer subprocess handling and align trailer I/O paths by [@&#8203;Copilot](https://github.com/Copilot) in [#&#8203;2125](gitpython-developers/GitPython#2125)
- git.cmd.Git.execute(..): fix `with_stdout=False` by [@&#8203;ngie-eign](https://github.com/ngie-eign) in [#&#8203;2126](gitpython-developers/GitPython#2126)
- Make sure that multi-options are checked after splitting them with `shlex` by [@&#8203;Byron](https://github.com/Byron) in [#&#8203;2130](gitpython-developers/GitPython#2130)
- Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4 by [@&#8203;WesR](https://github.com/WesR) in [#&#8203;2131](gitpython-developers/GitPython#2131)

#### New Contributors

- [@&#8203;Timour-Ilyas](https://github.com/Timour-Ilyas) made their first contribution in [#&#8203;2098](gitpython-developers/GitPython#2098)
- [@&#8203;daniel7an](https://github.com/daniel7an) made their first contribution in [#&#8203;2100](gitpython-developers/GitPython#2100)
- [@&#8203;lweyrich1](https://github.com/lweyrich1) made their first contribution in [#&#8203;2105](gitpython-developers/GitPython#2105)
- [@&#8203;Copilot](https://github.com/Copilot) made their first contribution in [#&#8203;2114](gitpython-developers/GitPython#2114)
- [@&#8203;mvanhorn](https://github.com/mvanhorn) made their first contribution in [#&#8203;2115](gitpython-developers/GitPython#2115)
- [@&#8203;UweSchwaeke](https://github.com/UweSchwaeke) made their first contribution in [#&#8203;2117](gitpython-developers/GitPython#2117)
- [@&#8203;Krishnachaitanyakc](https://github.com/Krishnachaitanyakc) made their first contribution in [#&#8203;2116](gitpython-developers/GitPython#2116)
- [@&#8203;ngie-eign](https://github.com/ngie-eign) made their first contribution in [#&#8203;2126](gitpython-developers/GitPython#2126)
- [@&#8203;WesR](https://github.com/WesR) made their first contribution in [#&#8203;2131](gitpython-developers/GitPython#2131)

**Full Changelog**: <gitpython-developers/GitPython@3.1.46...3.1.47>

</details>

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJyZW5vdmF0ZSJdfQ==-->

See merge request swiss-armed-forces/cyber-command/cea/loom!486

Co-authored-by: Loom MR Pipeline Trigger <group_103951964_bot_9504bb8dead6d4e406ad817a607f24be@noreply.gitlab.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants