◐ Shell
reader mode source ↗
Skip to content

fix: block joined short unsafe clone options#2162

Closed
Byron wants to merge 1 commit into
mainfrom
fix-joined-short-bypass
Closed

fix: block joined short unsafe clone options#2162
Byron wants to merge 1 commit into
mainfrom
fix-joined-short-bypass

Conversation

@Byron

@Byron Byron commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Member

Tasks

  • refackiew
  • @EliahKagan review, and particularly to check if this would sufficiently resolve the advisory. To me it seems so.

Advisory

Changes

  • Normalize short-form clone options with attached values for unsafe-option checks in Git._canonicalize_option_name, so inputs like -u/tmp/helper and -cprotocol.ext.allow=always are correctly classified as -u and -c.
  • Added regression coverage for joined short -u... and -c... bypass forms in test_clone_unsafe_options and test_clone_from_unsafe_options.
  • Added explicit unsafe-option canonicalization assertions in test_check_unsafe_options_normalizes_kwargs.

Created by Codex on behalf of Byron. Byron will review before this is ready to merge.

Validation

  • gh pr checks 2162 --watch completed successfully (latest run on this PR head).
  • Codex review run for commit 2568f2b7.

Copilot AI review requested due to automatic review settings June 17, 2026 04:30
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

Pull request overview

This PR hardens GitPython’s unsafe-option detection for clone by ensuring short options with joined/attached values (e.g. -u/tmp/helper, -cprotocol.ext.allow=always) are canonicalized correctly during unsafe-option checks, closing a bypass described in GHSA-v396-v7q4-x2qj.

Changes:

  • Update Git._canonicalize_option_name to normalize joined short options to their single-letter form for unsafe-option matching.
  • Add regression tests ensuring joined -u... and -c... forms are rejected in Repo.clone and Repo.clone_from.
  • Add canonicalization-focused assertions in the Git.check_unsafe_options normalization tests.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
git/cmd.py Canonicalizes short -xVALUE option tokens to x for unsafe-option checks, preventing bypass via joined short options.
test/test_clone.py Adds regression cases for joined -u... and -c... in clone-related unsafe-option tests.
test/test_git.py Adds direct check_unsafe_options cases asserting joined short options normalize to the expected unsafe keys.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Byron Byron force-pushed the fix-joined-short-bypass branch from d533b1c to 2568f2b Compare June 17, 2026 04:36
@Byron Byron requested a review from EliahKagan June 17, 2026 09:00
@Byron

Byron commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Actually, this might be a partial implementation of #2161, which also mentions how short options can be concatenated to hide the actual option.

@Byron

Byron commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Closing based on this discovery.

@Byron Byron closed this Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EliahKagan EliahKagan Awaiting requested review from EliahKagan

Assignees

No one assigned

Labels

waiting for feedback

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Byron @codex