Fix: Potential Vulnerability in Cloned Function

[tabudz]

Description This PR fixes a security vulnerability in checkout_verify_paths() that was cloned from libgit2 but did not receive the security patch. The original issue was reported and fixed under https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4. This PR applies the same patch to eliminate the vulnerability.

References https://nvd.nist.gov/vuln/detail/CVE-2020-12279 https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4

[samaaron]

Thanks for this - although it seems to mostly affect Windows users and the libgit2 in the tree isn't used on that platform in the build.

Is this not something that can be remedied by switching to a more recent rugged release?

[ethancrawford]

There doesn't appear to be a more recent rugged release yet. @tabudz - should this be raised upstream instead on the rugged repo?

[tabudz]

Thanks for the reply!

I’m using a tool that scans for vulnerable code clones, and it flagged the checkout_verify_paths() function in the vendored libgit2 here. The tool does not include the rugged repo yet so I haven't raised any concern there.

Totally understand this may not affect the current build or platform, but I thought it was worth noticing. Happy to leave it up to you whether to fix it here or wait for upstream.