##// END OF EJS Templates
subrepo: add tests for svn rogue ssh urls (SEC)...
Sean Farley -
r33713:173ecccb stable
parent child Browse files
Show More
@@ -1274,6 +1274,10 b' class svnsubrepo(abstractsubrepo):'
1274 1274 # The revision must be specified at the end of the URL to properly
1275 1275 # update to a directory which has since been deleted and recreated.
1276 1276 args.append('%s@%s' % (state[0], state[1]))
1277
1278 # SEC: check that the ssh url is safe
1279 util.checksafessh(state[0])
1280
1277 1281 status, err = self._svncommand(args, failok=True)
1278 1282 _sanitize(self.ui, self.wvfs, '.svn')
1279 1283 if not re.search('Checked out revision [0-9]+.', status):
@@ -2890,7 +2890,8 b' def checksafessh(path):'
2890 2890 Raises an error.Abort when the url is unsafe.
2891 2891 """
2892 2892 path = urlreq.unquote(path)
2893 if path.startswith('ssh://-') or '|' in path:
2893 if (path.startswith('ssh://-') or path.startswith('svn+ssh://-')
2894 or '|' in path):
2894 2895 raise error.Abort(_('potentially unsafe url: %r') %
2895 2896 (path,))
2896 2897
@@ -639,3 +639,67 b' Test that sanitizing is omitted in meta '
639 639 $ hg update -q -C '.^1'
640 640
641 641 $ cd ../..
642
643 SEC: test for ssh exploit
644
645 $ hg init ssh-vuln
646 $ cd ssh-vuln
647 $ echo "s = [svn]$SVNREPOURL/src" >> .hgsub
648 $ svn co --quiet "$SVNREPOURL"/src s
649 $ hg add .hgsub
650 $ hg ci -m1
651 $ echo "s = [svn]svn+ssh://-oProxyCommand=touch%20owned%20nested" > .hgsub
652 $ hg ci -m2
653 $ cd ..
654 $ hg clone ssh-vuln ssh-vuln-clone
655 updating to branch default
656 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s)
657 [255]
658
659 also check that a percent encoded '-' (%2D) doesn't work
660
661 $ cd ssh-vuln
662 $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20nested" > .hgsub
663 $ hg ci -m3
664 $ cd ..
665 $ rm -r ssh-vuln-clone
666 $ hg clone ssh-vuln ssh-vuln-clone
667 updating to branch default
668 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s)
669 [255]
670
671 also check for a pipe
672
673 $ cd ssh-vuln
674 $ echo "s = [svn]svn+ssh://fakehost|sh%20nested" > .hgsub
675 $ hg ci -m3
676 $ cd ..
677 $ rm -r ssh-vuln-clone
678 $ hg clone ssh-vuln ssh-vuln-clone
679 updating to branch default
680 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s)
681 [255]
682
683 also check that a percent encoded '|' (%7C) doesn't work
684
685 $ cd ssh-vuln
686 $ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub
687 $ hg ci -m3
688 $ cd ..
689 $ rm -r ssh-vuln-clone
690 $ hg clone ssh-vuln ssh-vuln-clone
691 updating to branch default
692 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s)
693 [255]
694
695 also check that hiding the attack in the username doesn't work:
696
697 $ cd ssh-vuln
698 $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20foo@example.com/nested" > .hgsub
699 $ hg ci -m3
700 $ cd ..
701 $ rm -r ssh-vuln-clone
702 $ hg clone ssh-vuln ssh-vuln-clone
703 updating to branch default
704 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned foo@example.com/nested' (in subrepo s)
705 [255]
General Comments 0
You need to be logged in to leave comments. Login now