0.0.7
[v0.0.7] - 2023-08-30
git.exe or git executable.
🔐 Security Fixes
Arbitrary Command Execution Mitigation
- Dependabot Alert #3: GitPython untrusted search path on Windows systems leading to arbitrary code execution.
- The previous git clone implementation sets the
envargument to the path of the git executable in the current working directory. This poses a security risk as the code is susceptible to running arbitrarygitcommands from a malicious repository.git.Repo.clone_from(repo_path, temp_dir, depth=1)
- Updated the
envargument to explicitly set the absolute path of the git executable. This ensures that the git executable used to clone the repository is the one thats installed in the system path, and not the one located in the current working directory.git.Repo.clone_from(repo_path, temp_dir, depth=1, env=git_exec_path)
🚀 New Features and Enhancements
Code Modularity
- Introduced three methods to help isolate the Git executable discovery and validation logic.
find_git_executable(): Determines the absolute path of the Git executable.validate_git_executable(): Validates the found Git executable path.validate_file_permissions(): Validates the file permissions of the cloned repository.
File Permission Checks
- For Unix systems, added checks to ensure the permissions of the cloned repository are set to
0o700. This is a best practice for secure temporary directories and prevents unauthorized users from accessing the directory.
pip install --upgrade readmeai. Please be mindful of this vulnerability and use caution when cloning repositories from untrusted sources, especially for Windows users.