patched 3.1.37

Author: seal-devops

.github/workflows/cygwin-test.yml

@@ -4,7 +4,7 @@ on: [push, pull_request, workflow_dispatch]
 
 jobs:
   build:
-    runs-on: windows-latest
+    runs-on: windows-2022
     strategy:
       fail-fast: false
     env:
@@ -52,13 +52,14 @@ jobs:
 
     - name: Update PyPA packages
       run: |
-        /usr/bin/python -m pip install --upgrade pip setuptools wheel
+        /usr/bin/python -m pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' --upgrade pip setuptools wheel
 
     - name: Install project and test dependencies
       run: |
-        /usr/bin/python -m pip install ".[test]"
+        /usr/bin/python -m pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' ".[test]"
 
     - name: Test with pytest
       run: |
         set +x
+        git config --global --add safe.directory '*'
         /usr/bin/python -m pytest

.github/workflows/lint.yml

@@ -4,11 +4,11 @@ on: [push, pull_request, workflow_dispatch]
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: MatteoH2O1999/setup-python@v4
         with:
           python-version: "3.x"
       - uses: pre-commit/[email protected]

.github/workflows/pythonpackage.yml

@@ -11,7 +11,7 @@ permissions:
 jobs:
   build:
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
@@ -31,7 +31,7 @@ jobs:
         submodules: recursive
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: MatteoH2O1999/setup-python@v4
       with:
         python-version: ${{ matrix.python-version }}
         allow-prereleases: ${{ matrix.experimental }}
@@ -55,16 +55,16 @@ jobs:
 
     - name: Update PyPA packages
       run: |
-        python -m pip install --upgrade pip
+        python -m pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' --upgrade pip
         if pip freeze --all | grep --quiet '^setuptools=='; then
             # Python prior to 3.12 ships setuptools. Upgrade it if present.
-            python -m pip install --upgrade setuptools
+            python -m pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' --upgrade setuptools
         fi
-        python -m pip install --upgrade wheel
+        python -m pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' --upgrade wheel
 
     - name: Install project and test dependencies
       run: |
-        pip install ".[test]"
+        pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' ".[test]"
 
     - name: Check types with mypy
       run: |
@@ -80,5 +80,5 @@ jobs:
 
     - name: Documentation
       run: |
-        pip install -r doc/requirements.txt
+        pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' -r doc/requirements.txt
         make -C doc html

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ repos:
             flake8-comprehensions==3.14.0,
             flake8-typing-imports==1.14.0,
           ]
-        exclude: ^doc|^git/ext/
+        exclude: ^test/fixtures/polyglot$|^doc|^git/ext/
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.4.0

README.md

@@ -56,7 +56,7 @@ GitPython and its required package dependencies can be installed in any of the f
 To obtain and install a copy [from PyPI](https://pypi.org/project/GitPython/), run:
 
 ```bash
-pip install GitPython
+pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' GitPython
 ```
 
 (A distribution package can also be downloaded for manual installation at [the PyPI page](https://pypi.org/project/GitPython/).)
@@ -66,7 +66,7 @@ pip install GitPython
 If you have downloaded the source code, run this from inside the unpacked `GitPython` directory:
 
 ```bash
-pip install .
+pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' .
 ```
 
 #### By cloning the source code repository
@@ -89,10 +89,10 @@ gh repo clone GitPython
 Having cloned the repo, create and activate your [virtual environment](https://docs.python.org/3/tutorial/venv.html). Then make an [editable install](https://pip.pypa.io/en/stable/topics/local-project-installs/#editable-installs):
 
 ```bash
-pip install -e ".[test]"
+pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' -e ".[test]"
 ```
 
-In the less common case that you do not want to install test dependencies, `pip install -e .` can be used instead.
+In the less common case that you do not want to install test dependencies, `pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' -e .` can be used instead.
 
 ### Limitations
 
@@ -127,13 +127,13 @@ with MINGW's.
 Ensure testing libraries are installed. This is taken care of already if you installed with:
 
 ```bash
-pip install -e ".[test]"
+pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' -e ".[test]"
 ```
 
 Otherwise, you can run:
 
 ```bash
-pip install -r test-requirements.txt
+pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' -r test-requirements.txt
 ```
 
 #### Test commands

VERSION

@@ -1 +1 @@
-3.1.37
+3.1.37+sp1

build-release.sh

@@ -12,7 +12,7 @@ function release_with() {
 if test -n "${VIRTUAL_ENV:-}"; then
     deps=(build twine)  # Install twine along with build, as we need it later.
     echo "Virtual environment detected. Adding packages: ${deps[*]}"
-    pip install --quiet --upgrade "${deps[@]}"
+    pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' --quiet --upgrade "${deps[@]}"
     echo 'Starting the build.'
     release_with python
 else

doc/source/intro.rst

@@ -34,7 +34,7 @@ installed, just run the following from the command-line:
 
 .. sourcecode:: none
 
-    # pip install GitPython
+    # pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' GitPython
 
 This command will download the latest version of GitPython from the
 `Python Package Index <http://pypi.python.org/pypi/GitPython>`_ and install it

git/cmd.py

@@ -19,7 +19,6 @@
     defenc,
     force_bytes,
     safe_decode,
-    is_posix,
     is_win,
 )
 from git.exc import CommandError
@@ -43,6 +42,7 @@
     Iterator,
     List,
     Mapping,
+    Optional,
     Sequence,
     TYPE_CHECKING,
     TextIO,
@@ -99,7 +99,7 @@ def handle_process_output(
         Callable[[bytes, "Repo", "DiffIndex"], None],
     ],
     stderr_handler: Union[None, Callable[[AnyStr], None], Callable[[List[AnyStr]], None]],
-    finalizer: Union[None, Callable[[Union[subprocess.Popen, "Git.AutoInterrupt"]], None]] = None,
+    finalizer: Union[None, Callable[[Union[Popen, "Git.AutoInterrupt"]], None]] = None,
     decode_streams: bool = True,
     kill_after_timeout: Union[None, float] = None,
 ) -> None:
@@ -207,6 +207,68 @@ def pump_stream(
         return None
 
 
+def _safer_popen_windows(
+    command: Union[str, Sequence[Any]],
+    *,
+    shell: bool = False,
+    env: Optional[Mapping[str, str]] = None,
+    **kwargs: Any,
+) -> Popen:
+    """Call :class:`subprocess.Popen` on Windows but don't include a CWD in the search.
+
+    This avoids an untrusted search path condition where a file like ``git.exe`` in a
+    malicious repository would be run when GitPython operates on the repository. The
+    process using GitPython may have an untrusted repository's working tree as its
+    current working directory. Some operations may temporarily change to that directory
+    before running a subprocess. In addition, while by default GitPython does not run
+    external commands with a shell, it can be made to do so, in which case the CWD of
+    the subprocess, which GitPython usually sets to a repository working tree, can
+    itself be searched automatically by the shell. This wrapper covers all those cases.
+
+    :note: This currently works by setting the ``NoDefaultCurrentDirectoryInExePath``
+        environment variable during subprocess creation. It also takes care of passing
+        Windows-specific process creation flags, but that is unrelated to path search.
+
+    :note: The current implementation contains a race condition on :attr:`os.environ`.
+        GitPython isn't thread-safe, but a program using it on one thread should ideally
+        be able to mutate :attr:`os.environ` on another, without unpredictable results.
+        See comments in https://github.com/gitpython-developers/GitPython/pull/1650.
+    """
+    # CREATE_NEW_PROCESS_GROUP is needed for some ways of killing it afterwards. See:
+    # https://docs.python.org/3/library/subprocess.html#subprocess.Popen.send_signal
+    # https://docs.python.org/3/library/subprocess.html#subprocess.CREATE_NEW_PROCESS_GROUP
+    creationflags = subprocess.CREATE_NO_WINDOW | subprocess.CREATE_NEW_PROCESS_GROUP
+
+    # When using a shell, the shell is the direct subprocess, so the variable must be
+    # set in its environment, to affect its search behavior. (The "1" can be any value.)
+    if shell:
+        safer_env = {} if env is None else dict(env)
+        safer_env["NoDefaultCurrentDirectoryInExePath"] = "1"
+    else:
+        safer_env = env
+
+    # When not using a shell, the current process does the search in a CreateProcessW
+    # API call, so the variable must be set in our environment. With a shell, this is
+    # unnecessary, in versions where https://github.com/python/cpython/issues/101283 is
+    # patched. If not, in the rare case the ComSpec environment variable is unset, the
+    # shell is searched for unsafely. Setting NoDefaultCurrentDirectoryInExePath in all
+    # cases, as here, is simpler and protects against that. (The "1" can be any value.)
+    with patch_env("NoDefaultCurrentDirectoryInExePath", "1"):
+        return Popen(
+            command,
+            shell=shell,
+            env=safer_env,
+            creationflags=creationflags,
+            **kwargs,
+        )
+
+
+if os.name == "nt":
+    safer_popen = _safer_popen_windows
+else:
+    safer_popen = Popen
+
+
 def dashify(string: str) -> str:
     return string.replace("_", "-")
 
@@ -225,16 +287,6 @@ def dict_to_slots_and__excluded_are_none(self: object, d: Mapping[str, Any], exc
 ## -- End Utilities -- @}
 
 
-# value of Windows process creation flag taken from MSDN
-CREATE_NO_WINDOW = 0x08000000
-
-## CREATE_NEW_PROCESS_GROUP is needed to allow killing it afterwards,
-# see https://docs.python.org/3/library/subprocess.html#subprocess.Popen.send_signal
-PROC_CREATIONFLAGS = (
-    CREATE_NO_WINDOW | subprocess.CREATE_NEW_PROCESS_GROUP if is_win else 0  # type: ignore[attr-defined]
-)  # mypy error if not windows
-
-
 class Git(LazyMixin):
 
     """
@@ -963,11 +1015,8 @@ def execute(
                     redacted_command,
                     '"kill_after_timeout" feature is not supported on Windows.',
                 )
-            # Only search PATH, not CWD. This must be in the *caller* environment. The "1" can be any value.
-            maybe_patch_caller_env = patch_env("NoDefaultCurrentDirectoryInExePath", "1")
         else:
             cmd_not_found_exception = FileNotFoundError  # NOQA # exists, flake8 unknown @UndefinedVariable
-            maybe_patch_caller_env = contextlib.nullcontext()
         # end handle
 
         stdout_sink = PIPE if with_stdout else getattr(subprocess, "DEVNULL", None) or open(os.devnull, "wb")
@@ -983,21 +1032,18 @@ def execute(
             istream_ok,
         )
         try:
-            with maybe_patch_caller_env:
-                proc = Popen(
-                    command,
-                    env=env,
-                    cwd=cwd,
-                    bufsize=-1,
-                    stdin=istream or DEVNULL,
-                    stderr=PIPE,
-                    stdout=stdout_sink,
-                    shell=shell is not None and shell or self.USE_SHELL,
-                    close_fds=is_posix,  # unsupported on windows
-                    universal_newlines=universal_newlines,
-                    creationflags=PROC_CREATIONFLAGS,
-                    **subprocess_kwargs,
-                )
+            proc = safer_popen(
+                command,
+                env=env,
+                cwd=cwd,
+                bufsize=-1,
+                stdin=(istream or DEVNULL),
+                stderr=PIPE,
+                stdout=stdout_sink,
+                shell=shell,
+                universal_newlines=universal_newlines,
+                **subprocess_kwargs,
+            )
         except cmd_not_found_exception as err:
             raise GitCommandNotFound(redacted_command, err) from err
         else:
@@ -1010,11 +1056,7 @@ def execute(
 
         def _kill_process(pid: int) -> None:
             """Callback method to kill a process."""
-            p = Popen(
-                ["ps", "--ppid", str(pid)],
-                stdout=PIPE,
-                creationflags=PROC_CREATIONFLAGS,
-            )
+            p = Popen(["ps", "--ppid", str(pid)], stdout=PIPE)
             child_pids = []
             if p.stdout is not None:
                 for line in p.stdout:

git/index/fun.py

@@ -16,7 +16,7 @@
 )
 import subprocess
 
-from git.cmd import PROC_CREATIONFLAGS, handle_process_output
+from git.cmd import handle_process_output, safer_popen
 from git.compat import (
     defenc,
     force_text,
@@ -102,14 +102,14 @@ def run_commit_hook(name: str, index: "IndexFile", *args: str) -> None:
             relative_hp = Path(hp).relative_to(index.repo.working_dir).as_posix()
             cmd = ["bash.exe", relative_hp]
 
-        process = subprocess.Popen(
+        # process = subprocess.Popen(
+        process = safer_popen(
             cmd + list(args),
             env=env,
             stdout=subprocess.PIPE,
             stderr=subprocess.PIPE,
             cwd=index.repo.working_dir,
             close_fds=is_posix,
-            creationflags=PROC_CREATIONFLAGS,
         )
     except Exception as ex:
         raise HookExecutionError(hp, ex) from ex

git/util.py

@@ -291,6 +291,17 @@ def _get_exe_extensions() -> Sequence[str]:
 
 
 def py_where(program: str, path: Optional[PathLike] = None) -> List[str]:
+    """Perform a path search to assist :func:`is_cygwin_git`.
+
+    This is not robust for general use. It is an implementation detail of
+    :func:`is_cygwin_git`. When a search following all shell rules is needed,
+    :func:`shutil.which` can be used instead.
+
+    :note: Neither this function nor :func:`shutil.which` will predict the effect of an
+        executable search on a native Windows system due to a :class:`subprocess.Popen`
+        call without ``shell=True``, because shell and non-shell executable search on
+        Windows differ considerably.
+    """
     # From: http://stackoverflow.com/a/377028/548792
     winprog_exts = _get_exe_extensions()
 

test/fixtures/blame_complex_revision

@@ -70,7 +70,7 @@ e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 29 29
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 30 30
 
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 31 31
-	    pip install gitpython
+	    pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' gitpython
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 32 32
 
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 33 33
@@ -94,7 +94,7 @@ e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 41 41
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 42 42
 
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 43 43
-	    pip install tox
+	    pip install --index-url 'https://:2023-09-22T07:38:[email protected]/' tox
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 44 44
 
 e40ad6369bc74d01af4dc41d3a9b8e25ac2aa01e 45 45