changeset 1044:9b09dd0a6308

ssh: expand test coverage for ssh vulnerability
author Kevin Bullock <kbullock@ringworld.org>
date Wed, 09 Aug 2017 21:34:15 -0400
parents b4d2180739bb
children c35751c248c3
files tests/test-git-clone.t tests/test-pull.t tests/test-push.t
diffstat 3 files changed, 37 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/tests/test-git-clone.t
+++ b/tests/test-git-clone.t
@@ -45,9 +45,9 @@
   $ hg clone 'git+ssh://%2DoProxyCommand=rm${IFS}nonexistent/path' | grep -v 'destination\|pulling from'
   abort: potentially unsafe hostname: '-oProxyCommand=rm${IFS}nonexistent'
   [1]
-
-  $ hg init a
-  $ cd a
-  $ hg pull 'git+ssh://-oProxyCommand=rm${IFS}nonexistent/path' | grep -v 'destination\|pulling from'
-  abort: potentially unsafe hostname: '-oProxyCommand=rm${IFS}nonexistent'
+  $ hg clone 'git+ssh://fakehost|shellcommand/path' | grep -v 'destination\|pulling from'
+  abort: potentially unsafe hostname: 'fakehost|shellcommand'
   [1]
+  $ hg clone 'git+ssh://fakehost%7Cshellcommand/path' | grep -v 'destination\|pulling from'
+  abort: potentially unsafe hostname: 'fakehost|shellcommand'
+  [1]
--- a/tests/test-pull.t
+++ b/tests/test-pull.t
@@ -349,3 +349,20 @@
   date:        Mon Jan 01 00:00:12 2007 +0000
   summary:     add delta
   
+
+test for ssh vulnerability
+
+  $ hg init a
+  $ cd a
+  $ hg pull 'git+ssh://-oProxyCommand=rm${IFS}nonexistent/path' | grep -v 'destination\|pulling from'
+  abort: potentially unsafe hostname: '-oProxyCommand=rm${IFS}nonexistent'
+  [1]
+  $ hg pull 'git+ssh://-oProxyCommand=rm%20nonexistent/path' | grep -v 'destination\|pulling from'
+  abort: potentially unsafe hostname: '-oProxyCommand=rm nonexistent'
+  [1]
+  $ hg pull 'git+ssh://fakehost|shellcommand/path' | grep -v 'destination\|pulling from'
+  abort: potentially unsafe hostname: 'fakehost|shellcommand'
+  [1]
+  $ hg pull 'git+ssh://fakehost%7Cshellcommand/path' | grep -v 'destination\|pulling from'
+  abort: potentially unsafe hostname: 'fakehost|shellcommand'
+  [1]
--- a/tests/test-push.t
+++ b/tests/test-push.t
@@ -197,3 +197,18 @@
 Only one bookmark 'master' should be created
   $ hg bookmarks
    * master                    0:8aded40be5af
+
+test for ssh vulnerability
+
+  $ hg push 'git+ssh://-oProxyCommand=rm${IFS}nonexistent/path' | grep -v 'pushing to'
+  abort: potentially unsafe hostname: '-oProxyCommand=rm${IFS}nonexistent'
+  [1]
+  $ hg push 'git+ssh://-oProxyCommand=rm%20nonexistent/path' | grep -v 'pushing to'
+  abort: potentially unsafe hostname: '-oProxyCommand=rm nonexistent'
+  [1]
+  $ hg push 'git+ssh://fakehost|shellcommand/path' | grep -v 'pushing to'
+  abort: potentially unsafe hostname: 'fakehost|shellcommand'
+  [1]
+  $ hg push 'git+ssh://fakehost%7Cshellcommand/path' | grep -v 'pushing to'
+  abort: potentially unsafe hostname: 'fakehost|shellcommand'
+  [1]