Fix CVE-2023-41040

This change adds a check during reference resolving to see if it
contains an up-level reference ('..'). If it does, it raises an
exception.

This fixes CVE-2023-41040, which allows an attacker to access files
outside the repository's directory.

Author: facutuesca

git/refs/symbolic.py

@@ -168,6 +168,8 @@ def _get_ref_info_helper(
         """Return: (str(sha), str(target_ref_path)) if available, the sha the file at
         rela_path points to, or None. target_ref_path is the reference we
         point to, or None"""
+        if ".." in str(ref_path):
+            raise ValueError(f"Invalid reference '{ref_path}'")
         tokens: Union[None, List[str], Tuple[str, str]] = None
         repodir = _git_dir(repo, ref_path)
         try: