reject reference symlink escapes

codex · Byron · commit 67f7ffae7462 · 2026-04-28T10:00:44.000+08:00
diff --git a/git/refs/symbolic.py b/git/refs/symbolic.py
@@ -114,6 +114,13 @@ def abspath(self) -> PathLike:
     def _get_validated_path(base: PathLike, path: PathLike) -> str:
         path = os.fspath(path)
         base_path = os.path.realpath(os.fspath(base))
+        cur_path = base_path
+        for part in os.path.normpath(path).split(os.sep):
+            if part in ("", "."):
+                continue
+            cur_path = os.path.join(cur_path, part)
+            if os.path.islink(cur_path):
+                raise ValueError("Reference path %r escapes the repository" % path)
         abs_path = os.path.realpath(os.path.join(base_path, path))
         try:
             common_path = os.path.commonpath([base_path, abs_path])
