##// END OF EJS Templates
ssh: unban the use of pipe character in user@host:port string...
Yuya Nishihara -
r33733:3fee7f7d 4.3.1 stable
parent child Browse files
Show More
@@ -2905,8 +2905,7 b' def checksafessh(path):'
2905 Raises an error.Abort when the url is unsafe.
2905 Raises an error.Abort when the url is unsafe.
2906 """
2906 """
2907 path = urlreq.unquote(path)
2907 path = urlreq.unquote(path)
2908 if (path.startswith('ssh://-') or path.startswith('svn+ssh://-')
2908 if path.startswith('ssh://-') or path.startswith('svn+ssh://-'):
2909 or '|' in path):
2910 raise error.Abort(_('potentially unsafe url: %r') %
2909 raise error.Abort(_('potentially unsafe url: %r') %
2911 (path,))
2910 (path,))
2912
2911
@@ -1111,11 +1111,11 b' SEC: check for unsafe ssh url'
1111 $ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
1111 $ hg clone 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
1112 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
1112 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
1113 [255]
1113 [255]
1114 $ hg clone 'ssh://fakehost|shellcommand/path'
1114 $ hg clone 'ssh://fakehost|touch%20owned/path'
1115 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
1115 abort: no suitable response from remote hg!
1116 [255]
1116 [255]
1117 $ hg clone 'ssh://fakehost%7Cshellcommand/path'
1117 $ hg clone 'ssh://fakehost%7Ctouch%20owned/path'
1118 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
1118 abort: no suitable response from remote hg!
1119 [255]
1119 [255]
1120
1120
1121 $ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'
1121 $ hg clone 'ssh://-oProxyCommand=touch owned%20foo@example.com/nonexistent/path'
@@ -107,6 +107,11 b' regular shell commands.'
107
107
108 SEC: check for unsafe ssh url
108 SEC: check for unsafe ssh url
109
109
110 $ cat >> $HGRCPATH << EOF
111 > [ui]
112 > ssh = sh -c "read l; read l; read l"
113 > EOF
114
110 $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path'
115 $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path'
111 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
116 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
112 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
117 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
@@ -115,13 +120,15 b' SEC: check for unsafe ssh url'
115 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
120 pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
116 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
121 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
117 [255]
122 [255]
118 $ hg pull 'ssh://fakehost|shellcommand/path'
123 $ hg pull 'ssh://fakehost|touch${IFS}owned/path'
119 pulling from ssh://fakehost%7Cshellcommand/path
124 pulling from ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
120 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
125 abort: no suitable response from remote hg!
121 [255]
126 [255]
122 $ hg pull 'ssh://fakehost%7Cshellcommand/path'
127 $ hg pull 'ssh://fakehost%7Ctouch%20owned/path'
123 pulling from ssh://fakehost%7Cshellcommand/path
128 pulling from ssh://fakehost%7Ctouch%20owned/path
124 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
129 abort: no suitable response from remote hg!
125 [255]
130 [255]
126
131
132 $ [ ! -f owned ] || echo 'you got owned'
133
127 $ cd ..
134 $ cd ..
@@ -319,6 +319,11 b' Test bare push with multiple race checki'
319
319
320 SEC: check for unsafe ssh url
320 SEC: check for unsafe ssh url
321
321
322 $ cat >> $HGRCPATH << EOF
323 > [ui]
324 > ssh = sh -c "read l; read l; read l"
325 > EOF
326
322 $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path'
327 $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path'
323 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
328 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
324 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
329 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
@@ -327,11 +332,13 b' SEC: check for unsafe ssh url'
327 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
332 pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
328 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
333 abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
329 [255]
334 [255]
330 $ hg -R test-revflag push 'ssh://fakehost|shellcommand/path'
335 $ hg -R test-revflag push 'ssh://fakehost|touch${IFS}owned/path'
331 pushing to ssh://fakehost%7Cshellcommand/path
336 pushing to ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path
332 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
337 abort: no suitable response from remote hg!
333 [255]
338 [255]
334 $ hg -R test-revflag push 'ssh://fakehost%7Cshellcommand/path'
339 $ hg -R test-revflag push 'ssh://fakehost%7Ctouch%20owned/path'
335 pushing to ssh://fakehost%7Cshellcommand/path
340 pushing to ssh://fakehost%7Ctouch%20owned/path
336 abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
341 abort: no suitable response from remote hg!
337 [255]
342 [255]
343
344 $ [ ! -f owned ] || echo 'you got owned'
@@ -1213,27 +1213,3 b" also check that a percent encoded '-' (%"
1213 updating to branch default
1213 updating to branch default
1214 abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepository "s")
1214 abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepository "s")
1215 [255]
1215 [255]
1216
1217 also check for a pipe
1218
1219 $ cd malicious-proxycommand
1220 $ echo 's = [git]ssh://fakehost|shell/path' > .hgsub
1221 $ hg ci -m 'change url to pipe'
1222 $ cd ..
1223 $ rm -r malicious-proxycommand-clone
1224 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1225 updating to branch default
1226 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
1227 [255]
1228
1229 also check that a percent encoded '|' (%7C) doesn't work
1230
1231 $ cd malicious-proxycommand
1232 $ echo 's = [git]ssh://fakehost%7Cshell/path' > .hgsub
1233 $ hg ci -m 'change url to percent encoded'
1234 $ cd ..
1235 $ rm -r malicious-proxycommand-clone
1236 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1237 updating to branch default
1238 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
1239 [255]
@@ -668,30 +668,6 b" also check that a percent encoded '-' (%"
668 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepository "s")
668 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepository "s")
669 [255]
669 [255]
670
670
671 also check for a pipe
672
673 $ cd ssh-vuln
674 $ echo "s = [svn]svn+ssh://fakehost|sh%20nested" > .hgsub
675 $ hg ci -m3
676 $ cd ..
677 $ rm -r ssh-vuln-clone
678 $ hg clone ssh-vuln ssh-vuln-clone
679 updating to branch default
680 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepository "s")
681 [255]
682
683 also check that a percent encoded '|' (%7C) doesn't work
684
685 $ cd ssh-vuln
686 $ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub
687 $ hg ci -m3
688 $ cd ..
689 $ rm -r ssh-vuln-clone
690 $ hg clone ssh-vuln ssh-vuln-clone
691 updating to branch default
692 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepository "s")
693 [255]
694
695 also check that hiding the attack in the username doesn't work:
671 also check that hiding the attack in the username doesn't work:
696
672
697 $ cd ssh-vuln
673 $ cd ssh-vuln
@@ -1792,6 +1792,11 b" Test that '[paths]' is configured correc"
1792
1792
1793 test for ssh exploit 2017-07-25
1793 test for ssh exploit 2017-07-25
1794
1794
1795 $ cat >> $HGRCPATH << EOF
1796 > [ui]
1797 > ssh = sh -c "read l; read l; read l"
1798 > EOF
1799
1795 $ hg init malicious-proxycommand
1800 $ hg init malicious-proxycommand
1796 $ cd malicious-proxycommand
1801 $ cd malicious-proxycommand
1797 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
1802 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
@@ -1825,26 +1830,28 b" also check that a percent encoded '-' (%"
1825 also check for a pipe
1830 also check for a pipe
1826
1831
1827 $ cd malicious-proxycommand
1832 $ cd malicious-proxycommand
1828 $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub
1833 $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub
1829 $ hg ci -m 'change url to pipe'
1834 $ hg ci -m 'change url to pipe'
1830 $ cd ..
1835 $ cd ..
1831 $ rm -r malicious-proxycommand-clone
1836 $ rm -r malicious-proxycommand-clone
1832 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1837 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1833 updating to branch default
1838 updating to branch default
1834 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
1839 abort: no suitable response from remote hg!
1835 [255]
1840 [255]
1841 $ [ ! -f owned ] || echo 'you got owned'
1836
1842
1837 also check that a percent encoded '|' (%7C) doesn't work
1843 also check that a percent encoded '|' (%7C) doesn't work
1838
1844
1839 $ cd malicious-proxycommand
1845 $ cd malicious-proxycommand
1840 $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub
1846 $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub
1841 $ hg ci -m 'change url to percent encoded pipe'
1847 $ hg ci -m 'change url to percent encoded pipe'
1842 $ cd ..
1848 $ cd ..
1843 $ rm -r malicious-proxycommand-clone
1849 $ rm -r malicious-proxycommand-clone
1844 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1850 $ hg clone malicious-proxycommand malicious-proxycommand-clone
1845 updating to branch default
1851 updating to branch default
1846 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
1852 abort: no suitable response from remote hg!
1847 [255]
1853 [255]
1854 $ [ ! -f owned ] || echo 'you got owned'
1848
1855
1849 and bad usernames:
1856 and bad usernames:
1850 $ cd malicious-proxycommand
1857 $ cd malicious-proxycommand
General Comments 0
You need to be logged in to leave comments. Login now