@@ -314,10 +314,10 @@ def dict_to_slots_and__excluded_are_none(self: object, d: Mapping[str, Any], exc
314314)
315315
316316_USE_SHELL_DANGER_MESSAGE = (
317- "Setting Git.USE_SHELL to True is unsafe and insecure, and should be avoided, "
318- "because the effect of shell metacharacters and shell expansions cannot usually be "
319- "accounted for. In addition, Git.USE_SHELL is deprecated and will be removed in a "
320- "future release."
317+ "Setting Git.USE_SHELL to True is unsafe and insecure, as the effect of special "
318+ "shell syntax cannot usually be accounted for. This can result in a command "
319+ "injection vulnerability and arbitrary code execution. Git.USE_SHELL is deprecated "
320+ "and will be removed in a future release."
321321)
322322
323323
@@ -413,6 +413,13 @@ def __setstate__(self, d: Dict[str, Any]) -> None:
413413 considered and accounted for, which is not possible under most circumstances. As
414414 detailed below, it is also no longer needed, even where it had been in the past.
415415
416+ It is in many if not most cases a command injection vulnerability for an application
417+ to set :attr:`USE_SHELL` to ``True``. Any attacker who can cause a specially crafted
418+ fragment of text to make its way into any part of any argument to any git command
419+ (including paths, branch names, etc.) can cause the shell to read and write
420+ arbitrary files and execute arbitrary commands. Innocent input may also accidentally
421+ contain special shell syntax, leading to inadvertent malfunctions.
422+
416423 In addition, how a value of ``True`` interacts with some aspects of GitPython's
417424 operation is not precisely specified and may change without warning, even before
418425 GitPython 4.0.0 when :attr:`USE_SHELL` may be removed. This includes:
0 commit comments