guard unsafe git command options#2163
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR adds protections against unsafe git options (notably options that can lead to command execution or arbitrary file writes) by introducing default rejection behavior plus an explicit allow_unsafe_options opt-in, along with regression tests.
Changes:
- Add unsafe-option checks for
archive, rev-based traversal APIs (iter_commits,Commit.iter_items), and blame APIs withallow_unsafe_optionsoverrides. - Add a dedicated
Git.ls_remote()wrapper that rejects unsafe options by default (opt-in supported). - Add regression tests covering unsafe-option rejection and opt-in behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
git/repo/base.py |
Adds unsafe option lists and default guarding for archive, iter_commits, and blame APIs via allow_unsafe_options. |
git/objects/commit.py |
Adds unsafe revision option guarding to Commit.iter_items plus allow_unsafe_options. |
git/cmd.py |
Adds ls_remote() wrapper and blocks unsafe options by default with opt-in. |
test/test_repo.py |
Adds regression tests ensuring unsafe options are rejected for archive, iter_commits, and blame. |
test/test_remote.py |
Adds regression tests for unsafe ls-remote options rejection and opt-in behavior. |
test/test_commit.py |
Adds regression test ensuring Commit.iter_items rejects unsafe revisions. |
Comments suppressed due to low confidence (2)
git/repo/base.py:788
- For rev-based wrappers, the unsafe-option check only inspects the
revargument string. However,--output/-oare primarily options and can also be supplied viakwargs(and viarev_optsinblame()), which this change currently doesn’t guard. Mandatory: whenallow_unsafe_optionsis false, validate unsafe options across all user-controlled option channels for these commands (e.g.,kwargsoption keys andrev_optsentries), not justrev.
def iter_commits(
git/repo/base.py:1208
- For rev-based wrappers, the unsafe-option check only inspects the
revargument string. However,--output/-oare primarily options and can also be supplied viakwargs(and viarev_optsinblame()), which this change currently doesn’t guard. Mandatory: whenallow_unsafe_optionsis false, validate unsafe options across all user-controlled option channels for these commands (e.g.,kwargsoption keys andrev_optsentries), not justrev.
def blame(
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
d0a9007 to
0a52e59
Compare
0a52e59 to
550d74e
Compare
550d74e to
cf7ea86
Compare
cf7ea86 to
114cd76
Compare
EliahKagan
left a comment
There was a problem hiding this comment.
Many of the changes here seem good and even necessary, but I'm not sure there's really a way to improve things overall by selectively blocking or redirecting dynamic commands on Git instances. The purpose of Git instances is to pass arguments straightforwardly into git commands via Git.execute. I've posted this comment, which references that previous decision. To be clear, as noted there, I am not confident that I fully understand all aspects of this situation; but just in case I am not totally mistaken, I wanted to raise this concern rather than waiting until after a release that might introduce new potentially unsatisfiable guarantees.
|
My apologies, this PR isn't supposed to be undrafted, nor is Codex 5.3 spark (too dumb) supposed to write into my checkboxes. I didn't even take a look at it yet. |
|
Thanks for clarifying. I didn't look at the checkboxes, but the non-draft status was a factor that nudged me to comment here (rather than only in the linked thread). |
|
This might at least be a partial solution, as it would fix |
5037f36 to
3af2b29
Compare
3af2b29 to
9450bf6
Compare
Reject command options that can execute arbitrary helpers or write files when passed through archive, revision traversal, blame, clone, fetch, pull, push, and ls-remote APIs. Validate positional option tokens and transformed keyword options consistently, including Git-supported long-option abbreviations, attached short-option values, and falsey stringifiable remotes. Preserve explicit allow_unsafe_options and allow_unsafe_protocols escape hatches. Add regression coverage for each guarded API, option spelling and abbreviation forms, inert keyword values, mixed positional and keyword candidates, tuple blame options, stringifiable remotes, and unsafe commands that must not create marker files. Reviewed-by: Sebastian Thiel <sebastian.thiel@icloud.com>
9450bf6 to
701ce32
Compare
|
Let's opt for a post-release fix as needed rather than holding this up for much longer. Once again, I ran the tests locally and rely on the few jobs that pass, knowing the other ones won't be picked up due to runner shortage or GH issues. Lastly, I have used GPT 5.6 on all of this, and let its review (high thinking) found yet another issue that is fixed here. Lastly, I only performed a review, no refackiew, so admittedly this is mostly agent work and I probably wouldn't see issues. |
Tasks
Advisory summary
Validation:
Created by Codex on behalf of Byron. Byron will review before this is ready to merge.