upstream/mercurial-mirror Commit - r33731:db83a1df

subrepo: add tests for git rogue ssh urls (SEC)...

Sean Farley -

r33731:db83a1df stable

parent child

mercurial/subrepo.py

0 +3 0

                 def _fetch(self, source, revision):
                     if self._gitmissing():
+                        # SEC: check for safe ssh url
+                        util.checksafessh(source)
                         source = self._abssource(source)
                         self.ui.status(_('cloning subrepo %s from %s\n') %
                                         (self._relpath, source))

tests/test-subrepo-git.t

0 +55 0

@@ -1182,3 +1182,58 b' whitelisting of ext should be respected '
1182	pwned: you asked for it	1182	pwned: you asked for it
1183		1183
1184	#endif	1184	#endif
		1185
		1186	test for ssh exploit with git subrepos 2017-07-25
		1187
		1188	$ hg init malicious-proxycommand
		1189	$ cd malicious-proxycommand
		1190	$ echo 's = [git]ssh://-oProxyCommand=rm${IFS}non-existent/path' > .hgsub
		1191	$ git init s
		1192	Initialized empty Git repository in $TESTTMP/tc/malicious-proxycommand/s/.git/
		1193	$ cd s
		1194	$ git commit --allow-empty -m 'empty'
		1195	[master (root-commit) 153f934] empty
		1196	$ cd ..
		1197	$ hg add .hgsub
		1198	$ hg ci -m 'add subrepo'
		1199	$ cd ..
		1200	$ hg clone malicious-proxycommand malicious-proxycommand-clone
		1201	updating to branch default
		1202	abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepository "s")
		1203	[255]
		1204
		1205	also check that a percent encoded '-' (%2D) doesn't work
		1206
		1207	$ cd malicious-proxycommand
		1208	$ echo 's = [git]ssh://%2DoProxyCommand=rm${IFS}non-existent/path' > .hgsub
		1209	$ hg ci -m 'change url to percent encoded'
		1210	$ cd ..
		1211	$ rm -r malicious-proxycommand-clone
		1212	$ hg clone malicious-proxycommand malicious-proxycommand-clone
		1213	updating to branch default
		1214	abort: potentially unsafe url: 'ssh://-oProxyCommand=rm${IFS}non-existent/path' (in subrepository "s")
		1215	[255]
		1216
		1217	also check for a pipe
		1218
		1219	$ cd malicious-proxycommand
		1220	$ echo 's = [git]ssh://fakehost\|shell/path' > .hgsub
		1221	$ hg ci -m 'change url to pipe'
		1222	$ cd ..
		1223	$ rm -r malicious-proxycommand-clone
		1224	$ hg clone malicious-proxycommand malicious-proxycommand-clone
		1225	updating to branch default
		1226	abort: potentially unsafe url: 'ssh://fakehost\|shell/path' (in subrepository "s")
		1227	[255]
		1228
		1229	also check that a percent encoded '\|' (%7C) doesn't work
		1230
		1231	$ cd malicious-proxycommand
		1232	$ echo 's = [git]ssh://fakehost%7Cshell/path' > .hgsub
		1233	$ hg ci -m 'change url to percent encoded'
		1234	$ cd ..
		1235	$ rm -r malicious-proxycommand-clone
		1236	$ hg clone malicious-proxycommand malicious-proxycommand-clone
		1237	updating to branch default
		1238	abort: potentially unsafe url: 'ssh://fakehost\|shell/path' (in subrepository "s")
		1239	[255]

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages