Block unsafe underscored git kwargs / Fix for GHSA-rpm5-65cw-6hj4 by WesR · Pull Request #2131 · gitpython-developers/GitPython
Pull request overview
This PR addresses GHSA-rpm5-65cw-6hj4 by ensuring unsafe git options are blocked even when supplied via underscored kwarg names (e.g., upload_pack), and expands test coverage to prevent regressions.
Changes:
- Canonicalize option/kwarg names (strip
-/--, drop values, convert_→-) before performing unsafe-option checks. - Extend remote/clone tests to include underscored unsafe kwargs.
- Add a focused unit test ensuring
check_unsafe_optionscatches multiple normalized forms.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
git/cmd.py |
Adds option-name canonicalization and uses it to match unsafe options robustly across kwarg/CLI forms. |
test/test_remote.py |
Expands fetch/pull/push unsafe option tests to include underscored kwargs. |
test/test_git.py |
Adds direct unit tests for Git.check_unsafe_options normalization behavior. |
test/test_clone.py |
Expands clone/clone_from unsafe option tests to include underscored kwargs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.