pool/python-GitPython
SHA256
11
0
Fork 2
Code Issues Pull Requests Activity

Accepting request 1225870 from devel:languages:python

Browse Source 
- drop of CVE-2023-41040.patch because it included in upstream version
- drop of test-skips.patch
- drop of test_blocking_lock_file-extra-time.patch
- Update to version 3.1.43:
  * Issue and test deprecation warnings by @EliahKagan in #1886
  * Fix version_info cache invalidation, typing, parsing, and serialization by @EliahKagan in #1838
  * Document manual refresh path treatment by @EliahKagan in #1839
  * Improve static typing and docstrings related to git object types by @EliahKagan in #1859
  * Fix release link in changelog by @PeterJCLaw in #1795
  * Remove test dependency on sumtypes library by @EliahKagan in #1798
  * Pin Sphinx plugins to compatible versions by @EliahKagan in #1803
  * fix: treeNotSorted issue by @et-repositories in #1799
  * Remove git.util.NullHandler by @EliahKagan in #1807
  * Clarify why GIT_PYTHON_GIT_EXECUTABLE may be set on failure by @EliahKagan in #1810
  * Report actual attempted Git command when Git.refresh fails by @EliahKagan in #1812
  * Don't suppress messages when logging is not configured by @EliahKagan in #1813
  * Pin Python 3.9.16 on Cygwin CI by @EliahKagan in #1814
  * Have initial refresh use a logger to warn by @EliahKagan in #1815
  * Omit warning prefix in "Bad git executable" message by @EliahKagan in #1816
  * Test with M1 macOS CI runner by @EliahKagan in #1817
  * Bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #1818
  * Bump Vampire/setup-wsl from 2.0.2 to 3.0.0 by @dependabot in #1819
  * Remove deprecated section in README.md by @marcm-ml in #1823
  * Keep temp files out of project dir and improve cleanup by @EliahKagan in #1825
  * Add __all__ in git.exc by @EliahKagan in #1719
  * Set submodule update cadence to weekly by @EliahKagan in #1721
  * Never modify sys.path by @EliahKagan in #1720
  * Bump git/ext/gitdb from 8ec2390 to ec58b7e by @dependabot in #1722
  * Revise comments, docstrings, some messages, and a bit of code by @EliahKagan in #1725
  * Use zero-argument super() by @EliahKagan in #1726

OBS-URL: https://build.opensuse.org/request/show/1225870
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-GitPython?expand=0&rev=30
This commit is contained in:
Ana Guerrero
2024-11-26 19:55:16 +00:00
committed by Git OBS Bridge
parent 258a6ce039 828d43a32a
commit 60c3f2e257
8 changed files with 127 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2023-41040.patch
View File

@@ -1,53 +0,0 @@
diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
index 33c3bf15b..5c293aa7b 100644
--- a/git/refs/symbolic.py
+++ b/git/refs/symbolic.py
@@ -168,6 +168,8 @@ def _get_ref_info_helper(
"""Return: (str(sha), str(target_ref_path)) if available, the sha the file at
rela_path points to, or None. target_ref_path is the reference we
point to, or None"""
+ if ".." in str(ref_path):
+ raise ValueError(f"Invalid reference '{ref_path}'")
tokens: Union[None, List[str], Tuple[str, str]] = None
repodir = _git_dir(repo, ref_path)
try:
diff --git a/test/test_refs.py b/test/test_refs.py
index 4c421767e..e7526c3b2 100644
--- a/test/test_refs.py
+++ b/test/test_refs.py
@@ -5,6 +5,7 @@
# the BSD License: http://www.opensource.org/licenses/bsd-license.php
from itertools import chain
+from pathlib import Path
from git import (
Reference,
@@ -20,9 +21,11 @@
from git.objects.tag import TagObject
from test.lib import TestBase, with_rw_repo
from git.util import Actor
+from gitdb.exc import BadName
import git.refs as refs
import os.path as osp
+import tempfile
class TestRefs(TestBase):
@@ -616,3 +619,15 @@ def test_dereference_recursive(self):
def test_reflog(self):
assert isinstance(self.rorepo.heads.master.log(), RefLog)
+
+ def test_refs_outside_repo(self):
+ # Create a file containing a valid reference outside the repository. Attempting
+ # to access it should raise an exception, due to it containing a parent directory
+ # reference ('..'). This tests for CVE-2023-41040.
+ git_dir = Path(self.rorepo.git_dir)
+ repo_parent_dir = git_dir.parent.parent
+ with tempfile.NamedTemporaryFile(dir=repo_parent_dir) as ref_file:
+ ref_file.write(b"91b464cd624fe22fbf54ea22b85a7e5cca507cfe")
+ ref_file.flush()
+ ref_file_name = Path(ref_file.name).name
+ self.assertRaises(BadName, self.rorepo.commit, f"../../{ref_file_name}")

BIN
GitPython-3.1.34.1693646983.2a2ae77.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

3
GitPython-3.1.43.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f87dfd8e0d0fce15690a5e84b92d3b02710161e116fda5d5f2324144b2cca23d
size 529566

6
_service
View File

@@ -1,15 +1,15 @@
<services>
<service name="tar_scm" mode="manual">
<param name="versionprefix">3.1.34</param>
<param name="versionprefix">3.1.43</param>
<param name="url">https://github.com/gitpython-developers/GitPython</param>
<param name="scm">git</param>
<param name="package-meta">yes</param>
<param name="changesgenerate">enable</param>
<param name="submodules">enable</param>
<param name="revision">3.1.34</param>
<param name="revision">3.1.43</param>
</service>
<service name="recompress" mode="manual">
<param name="compression">xz</param>
<param name="compression">gz</param>
<param name="file">*.tar</param>
</service>
<service name="set_version" mode="manual"/>

117
python-GitPython.changes
View File

@@ -1,3 +1,120 @@
-------------------------------------------------------------------
Mon Nov 18 21:31:25 UTC 2024 - Anton Smorodskyi <anton.smorodskyi@suse.com>
- drop of CVE-2023-41040.patch because it included in upstream version
- drop of test-skips.patch
- drop of test_blocking_lock_file-extra-time.patch
- Update to version 3.1.43:
* Issue and test deprecation warnings by @EliahKagan in #1886
* Fix version_info cache invalidation, typing, parsing, and serialization by @EliahKagan in #1838
* Document manual refresh path treatment by @EliahKagan in #1839
* Improve static typing and docstrings related to git object types by @EliahKagan in #1859
* Fix release link in changelog by @PeterJCLaw in #1795
* Remove test dependency on sumtypes library by @EliahKagan in #1798
* Pin Sphinx plugins to compatible versions by @EliahKagan in #1803
* fix: treeNotSorted issue by @et-repositories in #1799
* Remove git.util.NullHandler by @EliahKagan in #1807
* Clarify why GIT_PYTHON_GIT_EXECUTABLE may be set on failure by @EliahKagan in #1810
* Report actual attempted Git command when Git.refresh fails by @EliahKagan in #1812
* Don't suppress messages when logging is not configured by @EliahKagan in #1813
* Pin Python 3.9.16 on Cygwin CI by @EliahKagan in #1814
* Have initial refresh use a logger to warn by @EliahKagan in #1815
* Omit warning prefix in "Bad git executable" message by @EliahKagan in #1816
* Test with M1 macOS CI runner by @EliahKagan in #1817
* Bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #1818
* Bump Vampire/setup-wsl from 2.0.2 to 3.0.0 by @dependabot in #1819
* Remove deprecated section in README.md by @marcm-ml in #1823
* Keep temp files out of project dir and improve cleanup by @EliahKagan in #1825
* Add __all__ in git.exc by @EliahKagan in #1719
* Set submodule update cadence to weekly by @EliahKagan in #1721
* Never modify sys.path by @EliahKagan in #1720
* Bump git/ext/gitdb from 8ec2390 to ec58b7e by @dependabot in #1722
* Revise comments, docstrings, some messages, and a bit of code by @EliahKagan in #1725
* Use zero-argument super() by @EliahKagan in #1726
* Remove obsolete note in _iter_packed_refs by @EliahKagan in #1727
* Reorganize test_util and make xfail marks precise by @EliahKagan in #1729
* Clarify license and make module top comments more consistent by @EliahKagan in #1730
* Deprecate compat.is_, rewriting all uses by @EliahKagan in #1732
* Revise and restore some module docstrings by @EliahKagan in #1735
* Make the rmtree callback Windows-only by @EliahKagan in #1739
* List all non-passing tests in test summaries by @EliahKagan in #1740
* Document some minor subtleties in test_util.py by @EliahKagan in #1749
* Always read metadata files as UTF-8 in setup.py by @EliahKagan in #1748
* Test native Windows on CI by @EliahKagan in #1745
* Test macOS on CI by @EliahKagan in #1752
* Let close_fds be True on all platforms by @EliahKagan in #1753
* Fix IndexFile.from_tree on Windows by @EliahKagan in #1751
* Remove unused TASKKILL fallback in AutoInterrupt by @EliahKagan in #1754
* Don't return with operand when conceptually void by @EliahKagan in #1755
* Group .gitignore entries by purpose by @EliahKagan in #1758
* Adding dubious ownership handling by @marioaag in #1746
* Avoid brittle assumptions about preexisting temporary files in tests by @EliahKagan in #1759
* Overhaul noqa directives by @EliahKagan in #1760
* Clarify some Git.execute kill_after_timeout limitations by @EliahKagan in #1761
* Bump actions/setup-python from 4 to 5 by @dependabot in #1763
* Don't install black on Cygwin by @EliahKagan in #1766
* Extract all "import gc" to module level by @EliahKagan in #1765
* Extract remaining local "import gc" to module level by @EliahKagan in #1768
* Replace xfail with gc.collect in TestSubmodule.test_rename by @EliahKagan in #1767
* Enable CodeQL by @EliahKagan in #1769
* Replace some uses of the deprecated mktemp function by @EliahKagan in #1770
* Bump github/codeql-action from 2 to 3 by @dependabot in #1773
* Run some Windows environment variable tests only on Windows by @EliahKagan in #1774
* Fix TemporaryFileSwap regression where file_path could not be Path by @EliahKagan in #1776
* Improve hooks tests by @EliahKagan in #1777
* Fix if items of Index is of type PathLike by @stegm in #1778
* Better document IterableObj.iter_items and improve some subclasses by @EliahKagan in #1780
* Revert "Don't install black on Cygwin" by @EliahKagan in #1783
* Add missing pip in $PATH on Cygwin CI by @EliahKagan in #1784
* Shorten Iterable docstrings and put IterableObj first by @EliahKagan in #1785
* Fix incompletely revised Iterable/IterableObj docstrings by @EliahKagan in #1786
* Pre-deprecate setting Git.USE_SHELL by @EliahKagan in #1782
* Deprecate Git.USE_SHELL by @EliahKagan in #1787
* In handle_process_output don't forward finalizer result by @EliahKagan in #1788
* Fix mypy warning "Missing return statement" by @EliahKagan in #1789
* Fix two remaining Windows untrusted search path cases by @EliahKagan in #1792
* Add missing assert keywords by @EliahKagan in #1678
* Make clear every test's status in every CI run by @EliahKagan in #1679
* Fix new link to license in readme by @EliahKagan in #1680
* Drop unneeded flake8 suppressions by @EliahKagan in #1681
* Update instructions and test helpers for git-daemon by @EliahKagan in #1684
* Fix Git.execute shell use and reporting bugs by @EliahKagan in #1687
* No longer allow CI to select a prerelease for 3.12 by @EliahKagan in #1689
* Clarify Git.execute and Popen arguments by @EliahKagan in #1688
* Ask git where its daemon is and use that by @EliahKagan in #1697
* Fix bugs affecting exception wrapping in rmtree callback by @EliahKagan in #1700
* Fix dynamically-set all variable by @DeflateAwning in #1659
* Fix small #1662 regression due to #1659 by @EliahKagan in #1701
* Drop obsolete info on yanking from security policy by @EliahKagan in #1703
* Have Dependabot offer submodule updates by @EliahKagan in #1702
* Bump git/ext/gitdb from 49c3178 to 8ec2390 by @dependabot in #1704
* Bump git/ext/gitdb from 8ec2390 to 6a22706 by @dependabot in #1705
* Update readme for milestone-less releasing by @EliahKagan in #1707
* Run Cygwin CI workflow commands in login shells by @EliahKagan in #1709
* Improve Python version and OS compatibility, fixing deprecations by @EliahKagan in #1654
* Better document env_case test/fixture and cwd by @EliahKagan in #1657
* Remove spurious executable permissions by @EliahKagan in #1658
* Fix up checks in Makefile and make them portable by @EliahKagan in #1661
* Fix URLs that were redirecting to another license by @EliahKagan in #1662
* Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663
* Use venv instead of virtualenv in test_installation by @EliahKagan in #1664
* Omit py_modules in setup by @EliahKagan in #1665
* Don't track code coverage temporary files by @EliahKagan in #1666
* Configure tox by @EliahKagan in #1667
* Format tests with black and auto-exclude untracked paths by @EliahKagan in #1668
* Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in #1673
* Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675
* Remove @NoEffect annotations by @EliahKagan in #1677
* Add more checks for the validity of refnames by @facutuesca in #1672
* Bump actions/checkout from 3 to 4 by @dependabot in #1643
* Fix 'Tree' object has no attribute '_name' when submodule path is normal path by @CosmosAtlas in #1645
* Fix CVE-2023-41040 by @facutuesca in #1644
* Only make config more permissive in tests that need it by @EliahKagan in #1648
* Added test for PR #1645 submodule path by @CosmosAtlas in #1647
* Fix Windows environment variable upcasing bug by @EliahKagan in #1650
-------------------------------------------------------------------
Tue Sep 5 08:30:24 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>

17
python-GitPython.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-GitPython
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,20 +16,14 @@
#
%define skip_python2 1
%define simple_ver 3.1.34
%{?sle15_python_module_pythons}
Name: python-GitPython
Version: 3.1.34.1693646983.2a2ae77
Version: 3.1.43
Release: 0
Summary: Python Git Library
License: BSD-3-Clause
URL: https://github.com/gitpython-developers/GitPython
Source: GitPython-%{version}.tar.xz
Patch0: test-skips.patch
Patch1: test_blocking_lock_file-extra-time.patch
# PATCH-FIX-UPSTREAM CVE-2023-41040.patch gh#gitpython-developers/GitPython#1644
Patch2: CVE-2023-41040.patch
Source: GitPython-%{version}.tar.gz
BuildRequires: %{python_module ddt >= 1.1.1}
BuildRequires: %{python_module gitdb >= 4.0.1}
BuildRequires: %{python_module pip}
@@ -70,10 +64,7 @@ sed -i -e '/addopts/d' pyproject.toml
%python_expand %fdupes %{buildroot}%{$python_sitelib}
%check
# While SKIP_GITHUB is fine, the two tests skipped with SKIP_LOCALHOST
# should work as the test runner sets up a git daemon.
export SKIP_GITHUB=true
export SKIP_LOCALHOST=true
export TRAVIS=true
export LANG=en_US.UTF-8
@@ -90,6 +81,6 @@ git config --global user.name "Your Name"
%license LICENSE
%doc AUTHORS CHANGES README.md doc/source/*.rst
%{python_sitelib}/git
%{python_sitelib}/GitPython-%{simple_ver}.dist-info
%{python_sitelib}/GitPython-%{version}.dist-info
%changelog

107
test-skips.patch
View File

@@ -1,107 +0,0 @@
---
test/test_base.py | 3 ++-
test/test_remote.py | 5 ++++-
test/test_repo.py | 1 +
test/test_submodule.py | 19 +++++++++++--------
4 files changed, 18 insertions(+), 10 deletions(-)
Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
===================================================================
--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_base.py
+++ GitPython-3.1.34.1693646983.2a2ae77/test/test_base.py
@@ -109,7 +109,8 @@ class TestBase(_TestBase):
assert osp.isdir(osp.join(rw_repo.working_tree_dir, "lib"))
assert osp.isdir(rw_repo.working_dir)
- @skipIf(HIDE_WINDOWS_FREEZE_ERRORS, "FIXME: Freezes! sometimes...")
+ #@skipIf(HIDE_WINDOWS_FREEZE_ERRORS, "FIXME: Freezes! sometimes...")
+ @skipIf(os.environ.get('SKIP_LOCALHOST', 'false') == 'true', 'git-daemon connection error')
@with_rw_and_rw_remote_repo("0.1.6")
def test_with_rw_remote_and_rw_repo(self, rw_repo, rw_remote_repo):
assert not rw_repo.config_reader("repository").getboolean("core", "bare")
Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
===================================================================
--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_remote.py
+++ GitPython-3.1.34.1693646983.2a2ae77/test/test_remote.py
@@ -4,6 +4,7 @@
# This module is part of GitPython and is released under
# the BSD License: http://www.opensource.org/licenses/bsd-license.php
+import os
import random
import tempfile
import pytest
@@ -430,7 +431,8 @@ class TestRemote(TestBase):
TagReference.delete(rw_repo, new_tag, other_tag)
remote.push(":%s" % other_tag.path, kill_after_timeout=10.0)
- @skipIf(HIDE_WINDOWS_FREEZE_ERRORS, "FIXME: Freezes!")
+ #@skipIf(HIDE_WINDOWS_FREEZE_ERRORS, "FIXME: Freezes!")
+ @skipIf(os.environ.get('SKIP_LOCALHOST', 'false') == 'true', 'git-daemon connection error')
@with_rw_and_rw_remote_repo("0.1.6")
def test_base(self, rw_repo, remote_repo):
num_remotes = 0
@@ -681,6 +683,7 @@ class TestRemote(TestBase):
# will raise fatal: Will not delete all non-push URLs
self.assertRaises(GitCommandError, remote.delete_url, test3)
+ @skipIf(os.environ.get('SKIP_GITHUB', 'false') == 'true', 'GitHub connection error')
def test_fetch_error(self):
rem = self.rorepo.remote("origin")
with self.assertRaisesRegex(GitCommandError, "[Cc]ouldn't find remote ref __BAD_REF__"):
Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
===================================================================
--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_repo.py
+++ GitPython-3.1.34.1693646983.2a2ae77/test/test_repo.py
@@ -250,6 +250,7 @@ class TestRepo(TestBase):
except UnicodeEncodeError:
self.fail("Raised UnicodeEncodeError")
+ @skipIf(os.environ.get('SKIP_GITHUB', 'false') == 'true', 'Gitlab connection error')
@with_rw_directory
@skip("the referenced repository was removed, and one needs to setup a new password controlled repo under the orgs control")
def test_leaking_password_in_clone_logs(self, rw_dir):
Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
===================================================================
--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_submodule.py
+++ GitPython-3.1.34.1693646983.2a2ae77/test/test_submodule.py
@@ -453,14 +453,15 @@ class TestSubmodule(TestBase):
reason="Cygwin GitPython can't find submodule SHA",
raises=ValueError
)
- @skipIf(
- HIDE_WINDOWS_KNOWN_ERRORS,
- """
- File "C:\\projects\\gitpython\\git\\cmd.py", line 559, in execute
- raise GitCommandNotFound(command, err)
- git.exc.GitCommandNotFound: Cmd('git') not found due to: OSError('[WinError 6] The handle is invalid')
- cmdline: git clone -n --shared -v C:\\projects\\gitpython\\.git Users\\appveyor\\AppData\\Local\\Temp\\1\\tmplyp6kr_rnon_bare_test_root_module""",
- ) # noqa E501
+ #@skipIf(
+ # HIDE_WINDOWS_KNOWN_ERRORS,
+ # """
+ # File "C:\\projects\\gitpython\\git\\cmd.py", line 559, in execute
+ # raise GitCommandNotFound(command, err)
+ # git.exc.GitCommandNotFound: Cmd('git') not found due to: OSError('[WinError 6] The handle is invalid')
+ # cmdline: git clone -n --shared -v C:\\projects\\gitpython\\.git Users\\appveyor\\AppData\\Local\\Temp\\1\\tmplyp6kr_rnon_bare_test_root_module""",
+ #) # noqa E501
+ @skipIf(os.environ.get('SKIP_LOCALHOST', 'false') == 'true', 'git-daemon connection error')
@with_rw_repo(k_subm_current, bare=False)
def test_root_module(self, rwrepo):
# Can query everything without problems
@@ -802,6 +803,7 @@ class TestSubmodule(TestBase):
# "FIXME: helper.wrapper fails with: PermissionError: [WinError 5] Access is denied: "
# "'C:\\Users\\appveyor\\AppData\\Local\\Temp\\1\\test_work_tree_unsupportedryfa60di\\master_repo\\.git\\objects\\pack\\pack-bc9e0787aef9f69e1591ef38ea0a6f566ec66fe3.idx") # noqa E501
@with_rw_directory
+ @skipIf(os.environ.get('SKIP_LOCALHOST', 'false') == 'true', 'git-daemon connection error')
def test_git_submodule_compatibility(self, rwdir):
parent = git.Repo.init(osp.join(rwdir, "parent"))
sm_path = join_path_native("submodules", "intermediate", "one")
@@ -887,6 +889,7 @@ class TestSubmodule(TestBase):
# end for each dry-run mode
@with_rw_directory
+ @skipIf(os.environ.get('SKIP_LOCALHOST', 'false') == 'true', 'git-daemon connection error')
def test_remove_norefs(self, rwdir):
parent = git.Repo.init(osp.join(rwdir, "parent"))
sm_name = "mymodules/myname"

19
test_blocking_lock_file-extra-time.patch
View File

@@ -1,19 +0,0 @@
---
test/test_util.py | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Index: GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
===================================================================
--- GitPython-3.1.34.1693646983.2a2ae77.orig/test/test_util.py
+++ GitPython-3.1.34.1693646983.2a2ae77/test/test_util.py
@@ -173,9 +173,7 @@ class TestUtils(TestBase):
self.assertRaises(IOError, wait_lock._obtain_lock)
elapsed = time.time() - start
extra_time = 0.02
- if is_win:
- # for Appveyor
- extra_time *= 6 # NOTE: Indeterministic failures here...
+ extra_time *= 6 # NOTE: Indeterministic failures here...
self.assertLess(elapsed, wait_time + extra_time)
def test_user_id(self):