Make sure that multi-options are checked after splitting them with `shlex` by Byron · Pull Request #2130 · gitpython-developers/GitPython

Byron

Pull request overview

This PR addresses the GitPython security advisory GHSA-x2qx-6953-8485 by ensuring “multi-options” are validated for unsafe flags after they are split via shlex, preventing unsafe options from being hidden inside a single multi-option string.

Changes:

Update clone option validation to run check_unsafe_options against the shlex-split multi-options list.
Add regression tests for Repo.clone, Repo.clone_from, and Submodule.update to confirm unsafe options are caught when embedded in a combined multi-option payload.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
`git/repo/base.py`	Validates unsafe clone options against the split `multi` args instead of the raw `multi_options` strings.
`test/test_clone.py`	Adds tests ensuring unsafe options are rejected after splitting `multi_options` payload strings.
`test/test_submodule.py`	Adds a test ensuring submodule update clone options are checked after splitting combined payloads.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.