Fix leaking environment variables by Plazmaz · Pull Request #662 · gitpython-developers/GitPython
from git.cmd import ( Git,
def _expand_path(p): return osp.normpath(osp.abspath(osp.expandvars(osp.expanduser(p)))) def _expand_path(p, expand_vars=True): p = osp.expanduser(p) if expand_vars: p = osp.expandvars(p) return osp.normpath(osp.abspath(p))
class Repo(object):
def __init__(self, path=None, odbt=DefaultDBType, search_parent_directories=False): def __init__(self, path=None, odbt=DefaultDBType, search_parent_directories=False, expand_vars=True): """Create a new Repo instance
:param path:
epath = path or os.getenv('GIT_DIR') if not epath: epath = os.getcwd() if Git.is_cygwin(): epath = decygpath(epath) epath = _expand_path(epath or path or os.getcwd()) epath = epath or path or os.getcwd() if expand_vars and ("%" in epath or "$" in epath): warnings.warn("The use of environment variables in paths is deprecated" + "\nfor security reasons and may be removed in the future!!") epath = _expand_path(epath, expand_vars) if not os.path.exists(epath): raise NoSuchPathError(epath)
if sm_gitpath is not None: self.git_dir = _expand_path(sm_gitpath) self.git_dir = _expand_path(sm_gitpath, expand_vars) self._working_tree_dir = curpath break
@classmethod def init(cls, path=None, mkdir=True, odbt=DefaultDBType, **kwargs): def init(cls, path=None, mkdir=True, odbt=DefaultDBType, expand_vars=True, **kwargs): """Initialize a git repository at the given path if specified
:param path:
:param expand_vars: if specified, environment variables will not be escaped. This can lead to information disclosure, allowing attackers to access the contents of environment variables
:parm kwargs: keyword arguments serving as additional options to the git-init command
:return: ``git.Repo`` (the newly created repo)""" if path: path = _expand_path(path) path = _expand_path(path, expand_vars) if mkdir and path and not osp.exists(path): os.makedirs(path, 0o755)