Skip to content

fix: preserve literal clone URLs#2172

Merged
Byron merged 1 commit into
mainfrom
fix-clone-expandvars
Jul 16, 2026
Merged

fix: preserve literal clone URLs#2172
Byron merged 1 commit into
mainfrom
fix-clone-expandvars

Conversation

@Byron

@Byron Byron commented Jul 15, 2026

Copy link
Copy Markdown
Member

Tasks

This section is for Byron only. Models continuing this PR must not add, remove, check, uncheck, rename, or reorder checkboxes here.

  • refackiew

Everything below this line was generated by Codex GPT-5.

Created by Codex on behalf of Byron. Byron will review before this is ready to merge.

Summary

Preserve caller-provided clone URLs literally when invoking Git and when storing the resulting origin URL. Validate unsafe protocols against the exact normalized value passed to Git. Legacy expansion remains available to callers that intentionally normalize local paths.

Security advisory

Advisory summary

  • Severity: High
  • Package: gitpython (pip)
  • Affected range: <= 3.1.50
  • Patched version: not yet assigned
  • CVE: not yet assigned

The advisory remains a draft, so this description intentionally omits exploit details.

Validation

  • pytest test/test_clone.py -q — 20 passed, 1 skipped
  • ruff check on changed files — passed
  • ruff format --check on changed files — passed
  • Full pytest -q — 681 passed, 73 skipped, 1 xfailed; 7 unrelated local environment/baseline failures (including tests that assume a master default branch and local daemon/config behavior)

Git behavior reference

Git passes clone URL arguments through literally; t/t5601-clone.sh exercises accepted clone URL forms without shell-style environment expansion.

@Byron Byron force-pushed the fix-clone-expandvars branch 2 times, most recently from 4db3773 to 6575026 Compare July 15, 2026 15:03
Repo.clone_from() expanded environment-variable references in caller-supplied
URLs before passing them to git clone. This could expose process environment
values to an untrusted remote and made protocol validation apply to a different
value than Git received.

Polish clone URLs without variable or home expansion on native and Cygwin
Git, then apply unsafe-protocol validation to that exact normalized value.
Preserve the literal URL when normalizing the stored origin after a successful
clone, while retaining the existing Git.polish_url() default for callers
that intentionally normalize local paths. Add regression coverage for
POSIX and Windows variable syntax, Cygwin conversion, stored origins, and
post-normalization protocol validation.

Git baseline: git clone passes URL arguments through literally; t/t5601-clone.sh
covers the accepted URL forms without shell-style environment expansion.

Security: GHSA-rwj8-pgh3-r573.

Co-authored-by: Sebastian Thiel <[email protected]>
@Byron Byron force-pushed the fix-clone-expandvars branch from 6575026 to 8ac5a30 Compare July 16, 2026 02:53
@Byron Byron marked this pull request as ready for review July 16, 2026 02:53
Copilot AI review requested due to automatic review settings July 16, 2026 02:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens Repo.clone_from URL handling by preventing environment/~ expansion for clone URLs and for the stored origin URL, aligning GitPython behavior with Git’s literal argument handling and supporting the referenced security advisory.

Changes:

  • Add an expand_vars switch to Git.polish_url and propagate it through cygpath/_cygexpath.
  • In Repo._clone, use a literal (non-expanding) polished URL for unsafe-protocol validation and for the git clone invocation; also avoid expansion when persisting remote.origin.url.
  • Add regression tests ensuring clone URLs and stored origin URLs preserve environment-variable-like substrings literally.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
test/test_clone.py Adds tests asserting clone URLs and stored origin URLs are not environment-expanded; adds protocol-check regression coverage.
git/util.py Adds expand_vars control to cygpath and _cygexpath to support non-expanding URL polishing on Cygwin.
git/repo/base.py Switches clone URL handling to non-expanding polishing and checks unsafe protocols against the exact value passed to Git; stores origin URL without expansion.
git/cmd.py Extends Git.polish_url with expand_vars (docs + behavior) and uses it to disable env/~ expansion when requested.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread test/test_clone.py
@Byron Byron merged commit c65dfb3 into main Jul 16, 2026
31 checks passed
@Byron Byron deleted the fix-clone-expandvars branch July 16, 2026 03:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants