Fix leaking environment variables by Plazmaz · Pull Request #662 · gitpython-developers/GitPython

Plazmaz · 2017-08-21T17:26:17Z

When cloning a repo, GitPython will leak environment variables in error messages. For instance, this code:

import git
repo = git.Repo('https://www.github.com/Plazmaz/${PATH}')
repo.clone('testrepo/$PATH')

will output something like:

Traceback (most recent call last):
  File "test.py", line 2, in <module>
    repo = repo.Repo('https://www.github.com/Plazmaz/${PATH}', unsafe=True)
  File "GitPython/git/repo/base.py", line 133, in __init__
    raise NoSuchPathError(epath)
git.exc.NoSuchPathError: <THE CONTENTS OF $PATH>

This behavior has unwanted security implications. To counter this, I've added an unsafe variable, which will allow for environment variables to be expanded, otherwise, this behavior is disabled. By default, this variable is set to True. However, when used with environment variables, a warning is displayed. Hopefully, this will eventually be set to False by default. When running the same code, but with unsafe set to False, here's the output:

Traceback (most recent call last):
  File "test.py", line 2, in <module>
    repo = repo.Repo('https://www.github.com/Plazmaz/${PATH}', unsafe=False)
  File "GitPython/git/repo/base.py", line 133, in __init__
    raise NoSuchPathError(epath)
git.exc.NoSuchPathError: 
Documents/https:/www.github.com/Plazmaz/${PATH}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix leaking environment variables#662

Fix leaking environment variables#662
Byron merged 2 commits intogitpython-developers:masterfrom
Plazmaz:master

Plazmaz commented Aug 21, 2017

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

Plazmaz commented Aug 21, 2017

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants