# HG changeset patch # User Sean Farley # Date 2017-07-31 21:40:28 # Node ID 08cfc4baf3ba221f5dcf3358ad049f68b9da21a3 # Parent 92b583e3e5223a1836f9c72c68703d7e2724ce08 push: add tests for unsafe ssh url (SEC) diff --git a/tests/test-push.t b/tests/test-push.t --- a/tests/test-push.t +++ b/tests/test-push.t @@ -297,3 +297,21 @@ Test push hook locking lock: user *, process * (*s) (glob) wlock: user *, process * (*s) (glob) +SEC: check for unsafe ssh url + + $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path' + pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path + abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' + [255] + $ hg -R test-revflag push 'ssh://%2DoProxyCommand=touch${IFS}owned/path' + pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path + abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' + [255] + $ hg -R test-revflag push 'ssh://fakehost|shellcommand/path' + pushing to ssh://fakehost%7Cshellcommand/path + abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path' + [255] + $ hg -R test-revflag push 'ssh://fakehost%7Cshellcommand/path' + pushing to ssh://fakehost%7Cshellcommand/path + abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path' + [255]