Fix CVE-2023-41040

This change adds a check during reference resolving to see if the requested reference is inside the current repository folder. If it's ouside, it raises an exception. This fixes CVE-2023-41040, which allows an attacker to access files outside the repository's directory.

Author: facutuesca

git/refs/symbolic.py

@@ -1,4 +1,5 @@
 fromgit.typesimportPathLike
+frompathlibimportPath
 importos
 
 fromgit.compatimportdefenc
@@ -171,7 +172,14 @@ def _get_ref_info_helper(
 tokens: Union[None, List[str], Tuple[str, str]] =None
 repodir=_git_dir(repo, ref_path)
 try:
-withopen(os.path.join(repodir, str(ref_path)), "rt", encoding="UTF-8") asfp:
+# Make the path absolute, normalizing any up-level references and
+# separators
+normalized_ref=Path(os.path.abspath(os.path.join(repodir, str(ref_path))))
+normalized_repodir=Path(os.path.abspath(repodir))
+ifnormalized_repodirnotinnormalized_ref.parents:
+raiseValueError(f"Reference at {normalized_ref} is outside the repo directory")
+
+withopen(normalized_ref, "rt", encoding="UTF-8") asfp:
 value=fp.read().rstrip()
 # Don't only split on spaces, but on whitespace, which allows to parse lines like
 # 60b64ef992065e2600bfef6187a97f92398a9144 branch 'master' of git-server:/path/to/repo