gitpython version 3.1.29 has a RCE vulnerability (CVE-2022-24439)

[CrypticGuru]

Describe the bug

There is a Remote Code Execution vulnerability in all versions of gitpython.

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439

Reproduction steps

1. Install bandit version 1.7.4
2. It requires gitpython >=1.0.1 (but installs 3.1.29)
3. gitpython 3.1.29 has the reported vulnerability

Expected behavior

Proper input validation for git URLs needs to exist so that it is NOT possible to inject a maliciously crafted remote URL into the clone command.

Bandit version

1.7.4 (Default)

Python version

3.11 (Default)

Additional context

No response

[ericwb]

While it is true that Bandit has a dependency on GitPython, it does not use it to do any cloning, nor take a URL argument. The code in particular that uses GitPython is found in the baseline.py module.

[ericwb]

Closing for now since GitHub has a new mechanism for reporting potential vulnerabilities. I have just enabled it. In the future you can open one here: https://github.com/PyCQA/bandit/security/advisories

[MisterGlass]

It looks like gitpython has now patched this vulnerability gitpython-developers/GitPython#1515 (comment)