In extension to CVE-2022-25912, switch to case-insensitive check for protocol.allow in the handling of allowUnsafeProtocolOverride

Author: steveukx

.changeset/twelve-tires-trade.md

@@ -0,0 +1,7 @@
+---
+"simple-git": patch
+---
+
+Enhanced `protocol.allow` checks in `allowUnsafeExtProtocol` handling.
+
+Thanks to @CodeAnt-AI-Security for identifying the issue

simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts

@@ -21,7 +21,7 @@ function preventProtocolOverride(arg: string, next: string) {
       return;
    }
 
-   if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
+   if (!/^\s*protocol(.[a-z]+)?.allow/i.test(next)) {
       return;
    }
 

simple-git/test/unit/plugins/plugin.unsafe.spec.ts

@@ -7,6 +7,29 @@ import {
 } from '../__fixtures__';
 
 describe('blockUnsafeOperationsPlugin', () => {
+   it.each([
+      ['protocol.allow=always'],
+      ['PROTOCOL.ALLOW=always'],
+      ['Protocol.Allow=always'],
+      ['PROTOCOL.allow=always'],
+      ['protocol.ALLOW=always'],
+   ])('blocks protocol overide in format %s', async (cmd) => {
+      const task = ['config', '-c', cmd, 'config', '--list'];
+
+      assertGitError(
+         await promiseError(newSimpleGit().raw(...task)),
+         'allowUnsafeExtProtocol'
+      );
+
+      const err = promiseError(
+         newSimpleGit({ unsafe: { allowUnsafeProtocolOverride: true } }).raw(...task),
+      );
+
+      await closeWithSuccess();
+      expect(await err).toBeUndefined();
+      assertExecutedCommands(...task);
+   });
+
    it.each([
       ['clone', '-u touch /tmp/pwn'],
       ['cmd', '--upload-pack=touch /tmp/pwn0'],