Fix CVE-2023-41040

This change adds a check during reference resolving to see if the
requested reference is inside the current repository folder. If
it's ouside, it raises an exception.

This fixes CVE-2023-41040, which allows an attacker to access files
outside the repository's directory.

Author: facutuesca

Diff for: git/refs/symbolic.py

@@ -1,4 +1,5 @@
 from git.types import PathLike
+from pathlib import Path
 import os
 
 from git.compat import defenc
@@ -171,7 +172,14 @@ def _get_ref_info_helper(
         tokens: Union[None, List[str], Tuple[str, str]] = None
         repodir = _git_dir(repo, ref_path)
         try:
-            with open(os.path.join(repodir, str(ref_path)), "rt", encoding="UTF-8") as fp:
+            # Make the path absolute, normalizing any up-level references and
+            # separators
+            normalized_ref = Path(os.path.abspath(os.path.join(repodir, str(ref_path))))
+            normalized_repodir = Path(os.path.abspath(repodir))
+            if normalized_repodir not in normalized_ref.parents:
+                raise ValueError(f"Reference at {normalized_ref} is outside the repo directory")
+
+            with open(normalized_ref, "rt", encoding="UTF-8") as fp:
                 value = fp.read().rstrip()
             # Don't only split on spaces, but on whitespace, which allows to parse lines like
             # 60b64ef992065e2600bfef6187a97f92398a9144                branch 'master' of git-server:/path/to/repo