GitPython has Command Injection via Git options bypass

Summary GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an application passes attacker-controlled kwargs into Repo.clonefrom, Remote.fetch, Remote.pull, or Remote.push, th...