Skip to content

Tests fail due to security vulnerability fix in git 2.38.1 #1544

New issue
New issue
Closed
#1648
Closed
Tests fail due to security vulnerability fix in git 2.38.1#1544
#1648
Labels
acknowledged
Milestone
 
v3.1.35 - Bugfixes
@Lightborne

Description

@Lightborne
Lightborne
opened on Jan 21, 2023

Hello,
Due to a change made in Git to address a security vulnerability, some tests are failing.

See here for a description of the change:

https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253

These are the failing tests:

  • test_list_only_valid_submodules
  • test_git_submodules_and_add_sm_with_new_commit

The fail signature is the same in both cases:

cmdline: git submodule add /[redacted]/GitPython/git/ext/gitdb/gitdb/ext/smmap module
stderr: 'Cloning into '/tmp/test_list_only_valid_submoduleshv3nprno/parent/module'...
fatal: transport 'file' not allowed
fatal: clone of '/[redacted]/GitPython/git/ext/gitdb/gitdb/ext/smmap' into submodule path '/tmp/test_list_only_valid_submoduleshv3nprno/parent/module' failed'

Here is a blog post discussing this issue affecting others:

https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html

I have fixed this locally by changing the submodule add command in each test from:

repo.git.submodule("add", self._small_repo_url(), "module")

to

repo.git.submodule("add", Git.polish_url("https://github.com/gitpython-developers/smmap.git"), "module")

If this is an acceptable fix I can provide it in a pull request.

Metadata

Metadata

Assignees

No one assigned

    Labels

    acknowledged

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions