##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

subrepo: add tests for svn rogue ssh urls (SEC)...
Sean Farley -
r33730:60ee7af2 stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1281,6 +1281,10 b' class svnsubrepo(abstractsubrepo):'
1281 # The revision must be specified at the end of the URL to properly
1281 # The revision must be specified at the end of the URL to properly
1282 # update to a directory which has since been deleted and recreated.
1282 # update to a directory which has since been deleted and recreated.
1283 args.append('%s@%s' % (state[0], state[1]))
1283 args.append('%s@%s' % (state[0], state[1]))
1284
1285 # SEC: check that the ssh url is safe
1286 util.checksafessh(state[0])
1287
1284 status, err = self._svncommand(args, failok=True)
1288 status, err = self._svncommand(args, failok=True)
1285 _sanitize(self.ui, self.wvfs, '.svn')
1289 _sanitize(self.ui, self.wvfs, '.svn')
1286 if not re.search('Checked out revision [0-9]+.', status):
1290 if not re.search('Checked out revision [0-9]+.', status):
Show file before | Show file after | Hide comments
@@ -2905,7 +2905,8 b' def checksafessh(path):'
2905 Raises an error.Abort when the url is unsafe.
2905 Raises an error.Abort when the url is unsafe.
2906 """
2906 """
2907 path = urlreq.unquote(path)
2907 path = urlreq.unquote(path)
2908 if path.startswith('ssh://-') or '|' in path:
2908 if (path.startswith('ssh://-') or path.startswith('svn+ssh://-')
2909 or '|' in path):
2909 raise error.Abort(_('potentially unsafe url: %r') %
2910 raise error.Abort(_('potentially unsafe url: %r') %
2910 (path,))
2911 (path,))
2911
2912
Show file before | Show file after | Hide comments
@@ -639,3 +639,67 b' Test that sanitizing is omitted in meta '
639 $ hg update -q -C '.^1'
639 $ hg update -q -C '.^1'
640
640
641 $ cd ../..
641 $ cd ../..
642
643 SEC: test for ssh exploit
644
645 $ hg init ssh-vuln
646 $ cd ssh-vuln
647 $ echo "s = [svn]$SVNREPOURL/src" >> .hgsub
648 $ svn co --quiet "$SVNREPOURL"/src s
649 $ hg add .hgsub
650 $ hg ci -m1
651 $ echo "s = [svn]svn+ssh://-oProxyCommand=touch%20owned%20nested" > .hgsub
652 $ hg ci -m2
653 $ cd ..
654 $ hg clone ssh-vuln ssh-vuln-clone
655 updating to branch default
656 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepository "s")
657 [255]
658
659 also check that a percent encoded '-' (%2D) doesn't work
660
661 $ cd ssh-vuln
662 $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20nested" > .hgsub
663 $ hg ci -m3
664 $ cd ..
665 $ rm -r ssh-vuln-clone
666 $ hg clone ssh-vuln ssh-vuln-clone
667 updating to branch default
668 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepository "s")
669 [255]
670
671 also check for a pipe
672
673 $ cd ssh-vuln
674 $ echo "s = [svn]svn+ssh://fakehost|sh%20nested" > .hgsub
675 $ hg ci -m3
676 $ cd ..
677 $ rm -r ssh-vuln-clone
678 $ hg clone ssh-vuln ssh-vuln-clone
679 updating to branch default
680 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepository "s")
681 [255]
682
683 also check that a percent encoded '|' (%7C) doesn't work
684
685 $ cd ssh-vuln
686 $ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub
687 $ hg ci -m3
688 $ cd ..
689 $ rm -r ssh-vuln-clone
690 $ hg clone ssh-vuln ssh-vuln-clone
691 updating to branch default
692 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepository "s")
693 [255]
694
695 also check that hiding the attack in the username doesn't work:
696
697 $ cd ssh-vuln
698 $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20foo@example.com/nested" > .hgsub
699 $ hg ci -m3
700 $ cd ..
701 $ rm -r ssh-vuln-clone
702 $ hg clone ssh-vuln ssh-vuln-clone
703 updating to branch default
704 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned foo@example.com/nested' (in subrepository "s")
705 [255]
General Comments 0
You need to be logged in to leave comments. Login now