##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r31857:08fbc97d default
r32050:77eaf953 4.1.3 stable
Show More
test-trusted.py
203 lines | 5.9 KiB | text/x-python | PythonLexer
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 # Since it's not easy to write a test that portably deals
# with files from different users/groups, we cheat a bit by
# monkey-patching some functions in the util module
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 from __future__ import absolute_import, print_function
Pulkit Goyal
tests: make test-trusted use absolute_import
r28913
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 import os
Pulkit Goyal
tests: make test-trusted use absolute_import
r28913 from mercurial import (
error,
ui as uimod,
util,
)
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551
hgrc = os.environ['HGRCPATH']
Alexis S. L. Carvalho
tests/*: avoid losing the original settings from $HGRCPATH
r5523 f = open(hgrc)
basehgrc = f.read()
f.close()
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551
def testui(user='foo', group='bar', tusers=(), tgroups=(),
Ry4an Brase
ui: always report untrusted hgrc files when debug enabled...
r13493 cuser='foo', cgroup='bar', debug=False, silent=False,
report=True):
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 # user, group => owners of the file
# tusers, tgroups => trusted users/groups
# cuser, cgroup => user/group of the current process
# write a global hgrc with the list of trusted users/groups and
# some setting so that we can be sure it was read
f = open(hgrc, 'w')
Alexis S. L. Carvalho
tests/*: avoid losing the original settings from $HGRCPATH
r5523 f.write(basehgrc)
f.write('\n[paths]\n')
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 f.write('global = /some/path\n\n')
if tusers or tgroups:
f.write('[trusted]\n')
if tusers:
f.write('users = %s\n' % ', '.join(tusers))
if tgroups:
f.write('groups = %s\n' % ', '.join(tgroups))
f.close()
# override the functions that give names to uids and gids
def username(uid=None):
if uid is None:
return cuser
return user
util.username = username
def groupname(gid=None):
if gid is None:
return 'bar'
return group
util.groupname = groupname
Martin Geisler
posix: do not use fstat in isowner...
r8657 def isowner(st):
Alexis S. L. Carvalho
Avoid looking up usernames if the current user owns the .hgrc file...
r3677 return user == cuser
util.isowner = isowner
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 # try to read everything
#print '# File belongs to user %s, group %s' % (user, group)
#print '# trusted users = %s; trusted groups = %s' % (tusers, tgroups)
kind = ('different', 'same')
who = ('', 'user', 'group', 'user and the group')
trusted = who[(user in tusers) + 2*(group in tgroups)]
if trusted:
trusted = ', but we trust the ' + trusted
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('# %s user, %s group%s' % (kind[user == cuser], kind[group == cgroup],
trusted))
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551
Yuya Nishihara
ui: factor out ui.load() to create a ui without loading configs (API)...
r30559 u = uimod.ui.load()
Matt Mackall
ui: kill most users of parentui name and arg, replace with .copy()
r8190 u.setconfig('ui', 'debug', str(bool(debug)))
Ry4an Brase
ui: always report untrusted hgrc files when debug enabled...
r13493 u.setconfig('ui', 'report_untrusted', str(bool(report)))
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 u.readconfig('.hg/hgrc')
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 if silent:
return u
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('trusted')
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 for name, path in u.configitems('paths'):
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print(' ', name, '=', path)
print('untrusted')
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 for name, path in u.configitems('paths', untrusted=True):
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('.', end=' ')
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 u.config('paths', name) # warning with debug=True
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('.', end=' ')
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 u.config('paths', name, untrusted=True) # no warnings
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print(name, '=', path)
print()
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551
return u
os.mkdir('repo')
os.chdir('repo')
os.mkdir('.hg')
f = open('.hg/hgrc', 'w')
f.write('[paths]\n')
f.write('local = /another/path\n\n')
f.close()
#print '# Everything is run by user foo, group bar\n'
# same user, same group
testui()
# same user, different group
testui(group='def')
# different user, same group
testui(user='abc')
# ... but we trust the group
testui(user='abc', tgroups=['bar'])
# different user, different group
testui(user='abc', group='def')
# ... but we trust the user
testui(user='abc', group='def', tusers=['abc'])
# ... but we trust the group
testui(user='abc', group='def', tgroups=['def'])
# ... but we trust the user and the group
testui(user='abc', group='def', tusers=['abc'], tgroups=['def'])
# ... but we trust all users
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('# we trust all users')
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 testui(user='abc', group='def', tusers=['*'])
# ... but we trust all groups
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('# we trust all groups')
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 testui(user='abc', group='def', tgroups=['*'])
# ... but we trust the whole universe
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('# we trust all users and groups')
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 testui(user='abc', group='def', tusers=['*'], tgroups=['*'])
# ... check that users and groups are in different namespaces
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# we don't get confused by users and groups with the same name")
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 testui(user='abc', group='def', tusers=['def'], tgroups=['abc'])
# ... lists of user names work
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# list of user names")
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 testui(user='abc', group='def', tusers=['foo', 'xyz', 'abc', 'bleh'],
tgroups=['bar', 'baz', 'qux'])
# ... lists of group names work
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# list of group names")
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 testui(user='abc', group='def', tusers=['foo', 'xyz', 'bleh'],
tgroups=['bar', 'def', 'baz', 'qux'])
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# Can't figure out the name of the user running this process")
Alexis S. L. Carvalho
Only read .hg/hgrc files from trusted users/groups...
r3551 testui(user='abc', group='def', cuser=None)
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# prints debug warnings")
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 u = testui(user='abc', group='def', cuser='foo', debug=True)
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# report_untrusted enabled without debug hides warnings")
Ry4an Brase
ui: always report untrusted hgrc files when debug enabled...
r13493 u = testui(user='abc', group='def', cuser='foo', report=False)
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# report_untrusted enabled with debug shows warnings")
Ry4an Brase
ui: always report untrusted hgrc files when debug enabled...
r13493 u = testui(user='abc', group='def', cuser='foo', debug=True, report=False)
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# ui.readconfig sections")
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 filename = 'foobar'
f = open(filename, 'w')
f.write('[foobar]\n')
f.write('baz = quux\n')
f.close()
Mads Kiilerich
check-code: check for spaces around = for named parameters
r19872 u.readconfig(filename, sections=['foobar'])
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print(u.config('foobar', 'baz'))
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print()
print("# read trusted, untrusted, new ui, trusted")
Yuya Nishihara
ui: factor out ui.load() to create a ui without loading configs (API)...
r30559 u = uimod.ui.load()
Matt Mackall
ui: refactor option setting...
r8136 u.setconfig('ui', 'debug', 'on')
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 u.readconfig(filename)
Matt Mackall
ui: kill most users of parentui name and arg, replace with .copy()
r8190 u2 = u.copy()
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 def username(uid=None):
return 'foo'
util.username = username
u2.readconfig('.hg/hgrc')
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('trusted:')
print(u2.config('foobar', 'baz'))
print('untrusted:')
print(u2.config('foobar', 'baz', untrusted=True))
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print()
print("# error handling")
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
r26587 def assertraises(f, exc=error.Abort):
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 try:
f()
Gregory Szorc
global: mass rewrite to use modern exception syntax...
r25660 except exc as inst:
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('raised', inst.__class__.__name__)
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 else:
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print('no exception?!')
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print("# file doesn't exist")
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 os.unlink('.hg/hgrc')
assert not os.path.exists('.hg/hgrc')
testui(debug=True, silent=True)
testui(user='abc', group='def', debug=True, silent=True)
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print()
print("# parse error")
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 f = open('.hg/hgrc', 'w')
Matt Mackall
ui: introduce new config parser
r8144 f.write('foo')
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552 f.close()
Matt Mackall
ui: introduce new config parser
r8144 try:
testui(user='abc', group='def', silent=True)
Gregory Szorc
global: mass rewrite to use modern exception syntax...
r25660 except error.ParseError as inst:
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print(inst)
Alexis S. L. Carvalho
save settings from untrusted config files in a separate configparser...
r3552
Matt Mackall
ui: introduce new config parser
r8144 try:
testui(debug=True, silent=True)
Gregory Szorc
global: mass rewrite to use modern exception syntax...
r25660 except error.ParseError as inst:
Pulkit Goyal
tests: make test-trusted use print_function...
r28934 print(inst)