CVE-2023-40590 Hand Cherry-Picking pull/1636

rickprice · rickprice · commit 20f5e4215e54 · 2024-10-10T12:41:53.000-04:00
Fix syntax error

Switch to mock

Fix print function

Get TemporaryDirectory for Python2

We don't really care about the encoding of the file

Its a script

Use six to get assertRegex

Create a nullcontext

Fix unicode problem

Just use the Python2 methods
diff --git a/git/cmd.py b/git/cmd.py
@@ -4,7 +4,7 @@
 # This module is part of GitPython and is released under
 # the BSD License: http://www.opensource.org/licenses/bsd-license.php
 
-from contextlib import contextmanager
+import contextlib
 import io
 import logging
 import os
@@ -19,6 +19,7 @@
 import threading
 from collections import OrderedDict
 from textwrap import dedent
+import mock
 
 from git.compat import (
     string_types,
@@ -59,6 +60,11 @@
 __all__ = ('Git',)
 
 
+@contextlib.contextmanager
+def nullcontext(enter_result=None):
+    yield enter_result
+
+
 # ==============================================================================
 ## @name Utilities
 # ------------------------------------------------------------------------------
@@ -705,11 +711,15 @@ def execute(self, command,
             cmd_not_found_exception = OSError
             if kill_after_timeout:
                 raise GitCommandError(command, '"kill_after_timeout" feature is not supported on Windows.')
+
+            # Only search PATH, not CWD. This must be in the *caller* environment. The "1" can be any value.
+            patch_caller_env = unittest.mock.patch.dict(os.environ, {"NoDefaultCurrentDirectoryInExePath": "1"})
         else:
             if sys.version_info[0] > 2:
                 cmd_not_found_exception = FileNotFoundError  # NOQA # exists, flake8 unknown @UndefinedVariable
             else:
                 cmd_not_found_exception = OSError
+            patch_caller_env = nullcontext()
         # end handle
 
         stdout_sink = (PIPE
@@ -721,19 +731,21 @@ def execute(self, command,
         log.debug("Popen(%s, cwd=%s, universal_newlines=%s, shell=%s, istream=%s)",
                   command, cwd, universal_newlines, shell, istream_ok)
         try:
-            proc = Popen(command,
-                         env=env,
-                         cwd=cwd,
-                         bufsize=-1,
-                         stdin=istream,
-                         stderr=PIPE,
-                         stdout=stdout_sink,
-                         shell=shell is not None and shell or self.USE_SHELL,
-                         close_fds=is_posix,  # unsupported on windows
-                         universal_newlines=universal_newlines,
-                         creationflags=PROC_CREATIONFLAGS,
-                         **subprocess_kwargs
-                         )
+            with patch_caller_env:
+                proc = Popen(
+                    command,
+                    env=env,
+                    cwd=cwd,
+                    bufsize=-1,
+                    stdin=istream,
+                    stderr=PIPE,
+                    stdout=stdout_sink,
+                    shell=shell is not None and shell or self.USE_SHELL,
+                    close_fds=is_posix,  # unsupported on windows
+                    universal_newlines=universal_newlines,
+                    creationflags=PROC_CREATIONFLAGS,
+                    **subprocess_kwargs
+                )
         except cmd_not_found_exception as err:
             raise GitCommandNotFound(command, err)
 
@@ -862,7 +874,7 @@ def update_environment(self, **kwargs):
                 del self._environment[key]
         return old_env
 
-    @contextmanager
+    @contextlib.contextmanager
     def custom_environment(self, **kwargs):
         """
         A context manager around the above ``update_environment`` method to restore the
diff --git a/git/test/test_git.py b/git/test/test_git.py
@@ -4,10 +4,16 @@
 #
 # This module is part of GitPython and is released under
 # the BSD License: http://www.opensource.org/licenses/bsd-license.php
+from __future__ import print_function
+
+import contextlib
 import os
+import shutil
 import subprocess
 import sys
 from tempfile import TemporaryFile
+from backports.tempfile import TemporaryDirectory
+import six
 
 from git import (
     Git,
@@ -40,6 +46,16 @@
 
 from git.compat import is_win
 
+@contextlib.contextmanager
+def _chdir(new_dir):
+    """Context manager to temporarily change directory. Not reentrant."""
+    old_dir = os.getcwd()
+    os.chdir(new_dir)
+    try:
+        yield
+    finally:
+        os.chdir(old_dir)
+
 
 class TestGit(TestBase):
 
@@ -100,6 +116,24 @@ def test_it_transforms_kwargs_into_git_command_arguments(self):
     def test_it_executes_git_to_shell_and_returns_result(self):
         assert_match(r'^git version [\d\.]{2}.*$', self.git.execute(["git", "version"]))
 
+    def test_it_executes_git_not_from_cwd(self):
+        with TemporaryDirectory() as tmpdir:
+            if is_win:
+                # Copy an actual binary executable that is not git.
+                other_exe_path = os.path.join(os.getenv("WINDIR"), "system32", "hostname.exe")
+                impostor_path = os.path.join(tmpdir, "git.exe")
+                shutil.copy(other_exe_path, impostor_path)
+            else:
+                # Create a shell script that doesn't do anything.
+                impostor_path = os.path.join(tmpdir, "git")
+                with open(impostor_path, mode="w") as file:
+                    print("#!/bin/sh", file=file)
+                os.chmod(impostor_path, 0o755)
+
+            with _chdir(tmpdir):
+                # six.assertRegex(self.git.execute(["git", "version"]).encode("UTF-8"), r"^git version\b")
+                self.assertRegexpMatches(self.git.execute(["git", "version"]), r"^git version\b")
+
     def test_it_accepts_stdin(self):
         filename = fixture_path("cat_file_blob")
         with open(filename, 'r') as fh:
diff --git a/requirements.txt b/requirements.txt
@@ -1 +1,2 @@
 gitdb2>=2,<3
+mock
diff --git a/test-requirements.txt b/test-requirements.txt
@@ -3,4 +3,5 @@ coverage
 flake8
 nose
 tox
-mock; python_version=='2.7'
+backports.tempfile
+six
