fix: block joined short unsafe options (GHSA-v396-v7q4-x2qj)

codex · Byron · commit d533b1cb401f · 2026-06-17T12:29:20.000+08:00
diff --git a/git/cmd.py b/git/cmd.py
@@ -957,7 +957,10 @@ def _canonicalize_option_name(cls, option: str) -> str:
         option_tokens = option_name.split(None, 1)
         if not option_tokens:
             return ""
-        return dashify(option_tokens[0])
+        option_token = option_tokens[0]
+        if option.startswith("-") and not option.startswith("--") and len(option_token) > 1:
+            option_token = option_token[:1]
+        return dashify(option_token)
 
     @classmethod
     def check_unsafe_options(cls, options: List[str], unsafe_options: List[str]) -> None:
diff --git a/test/test_clone.py b/test/test_clone.py
@@ -118,8 +118,10 @@ def test_clone_unsafe_options(self, rw_repo):
             unsafe_options = [
                 f"--upload-pack='touch {tmp_file}'",
                 f"-u 'touch {tmp_file}'",
+                f"-u{tmp_file}",
                 "--config=protocol.ext.allow=always",
                 "-c protocol.ext.allow=always",
+                f"-cprotocol.ext.allow=always",
             ]
             for unsafe_option in unsafe_options:
                 with self.assertRaises(UnsafeOptionError):
@@ -207,8 +209,10 @@ def test_clone_from_unsafe_options(self, rw_repo):
             unsafe_options = [
                 f"--upload-pack='touch {tmp_file}'",
                 f"-u 'touch {tmp_file}'",
+                f"-u{tmp_file}",
                 "--config=protocol.ext.allow=always",
                 "-c protocol.ext.allow=always",
+                f"-cprotocol.ext.allow=always",
             ]
             for unsafe_option in unsafe_options:
                 with self.assertRaises(UnsafeOptionError):
diff --git a/test/test_git.py b/test/test_git.py
@@ -162,6 +162,8 @@ def test_check_unsafe_options_normalizes_kwargs(self):
             (["exec"], ["--exec"]),
             (["u"], ["-u"]),
             (["c"], ["-c"]),
+            (["-u/tmp/helper"], ["-u"]),
+            (["-cprotocol.ext.allow=always"], ["-c"]),
             (["--upload-pack=/tmp/helper"], ["--upload-pack"]),
             (["--config core.filemode=false"], ["--config"]),
         ]

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,8 @@ def test_check_unsafe_options_normalizes_kwargs(self):`
`162`	`162`	`(["exec"], ["--exec"]),`
`163`	`163`	`(["u"], ["-u"]),`
`164`	`164`	`(["c"], ["-c"]),`
	`165`	`+ (["-u/tmp/helper"], ["-u"]),`
	`166`	`+ (["-cprotocol.ext.allow=always"], ["-c"]),`
`165`	`167`	`(["--upload-pack=/tmp/helper"], ["--upload-pack"]),`
`166`	`168`	`(["--config core.filemode=false"], ["--config"]),`
`167`	`169`	`]`