For f-droid.org, we build thousands of Android apps from git repos. To reduce our attack surface and work towards "least authority", we use a custom Git wrapper that locks down a lot of things that we never need, and have a higher risk of vulnerabilities. I would like to rework this to be a part of GitPython. So I'm opening this issue to see if this is something that the GitPython maintainers would be interested in merging.

I'm open on the API, it could be something like this:

git_repo = git.repo.Repo('.', safe=True)

The goal would be then that all invocations of Git would include these kinds options:

core.askpass = /bin/true
core.hooksPath = /dev/null
protocol.allow = never
protocol.https.allow = always
core.sshCommand = /bin/false
url.https://.insteadOf = ssh://

And run with these env vars:

GIT_TERMINAL_PROMPT=0
GIT_ASKPASS=/bin/true
SSH_ASKPASS=/bin/true
GIT_SSH=/bin/false  # for git < 2.3

This then hopefully only allows unauthenticated access to HTTPS repos, and prevents the execution of any command besides git. This would eliminate risks like these:

• GHSA-2mqj-m65w-jghx
• https://stackoverflow.com/questions/74200395/is-it-dangerous-to-open-or-clone-a-git-repository-from-an-untrusted-source
• GHSA-vm9j-46j9-qvq4
• https://git-scm.com/docs/git#_security
• https://github.blog/open-source/git/securing-git-addressing-5-new-vulnerabilities/
• https://nvd.nist.gov/vuln/detail/CVE-2017-1000117