dulwich is vulnerable to Path Traversal
53
Medium Risk
dulwich resolves loose ref names into filesystem paths in DiskRefsContainer.refpath using os.path.join, but lookups like read_loose_ref and the git-upload-archive argument skip the ref-name validation applied on write paths. An untrusted name such as ../../secret therefore resolves outside the ref store and its first line is returned as the ref value, letting a client read files outside the repository ref store. The fix validates ref names with _check_refname before resolving them to a path and rejects traversing names.
You are affected if you are using a version that falls within the vulnerable range and you run a git server that resolves untrusted client-supplied ref names.
dulwich is vulnerable to Path Traversal in versions 0.9.1 - 1.2.6.
Upgrade the dulwich library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant