upstream/mercurial-mirror Files · tests/test-trusted.py

dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...

dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

Matt Harbison - - Load All Authors

File last commit:

r31857:08fbc97d default


                r32050:77eaf953

4.1.3 stable

Download file

             test-trusted.py
        
                    203 lines
            
             | 5.9 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / tests / test-trusted.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      # Since it's not easy to write a test that portably deals

      # with files from different users/groups, we cheat a bit by

      # monkey-patching some functions in the util module

      from __future__ import absolute_import, print_function

      import os

      from mercurial import (

          error,

          ui as uimod,

          util,

      )

      hgrc = os.environ['HGRCPATH']

      f = open(hgrc)

      basehgrc = f.read()

      f.close()

      def testui(user='foo', group='bar', tusers=(), tgroups=(),

                 cuser='foo', cgroup='bar', debug=False, silent=False,

                 report=True):

          # user, group => owners of the file

          # tusers, tgroups => trusted users/groups

          # cuser, cgroup => user/group of the current process

          # write a global hgrc with the list of trusted users/groups and

          # some setting so that we can be sure it was read

          f = open(hgrc, 'w')

          f.write(basehgrc)

          f.write('\n[paths]\n')

          f.write('global = /some/path\n\n')

          if tusers or tgroups:

              f.write('[trusted]\n')

              if tusers:

                  f.write('users = %s\n' % ', '.join(tusers))

              if tgroups:

                  f.write('groups = %s\n' % ', '.join(tgroups))

          f.close()

          # override the functions that give names to uids and gids

          def username(uid=None):

              if uid is None:

                  return cuser

              return user

          util.username = username

          def groupname(gid=None):

              if gid is None:

                  return 'bar'

              return group

          util.groupname = groupname

          def isowner(st):

              return user == cuser

          util.isowner = isowner

          # try to read everything

          #print '# File belongs to user %s, group %s' % (user, group)

          #print '# trusted users = %s; trusted groups = %s' % (tusers, tgroups)

          kind = ('different', 'same')

          who = ('', 'user', 'group', 'user and the group')

          trusted = who[(user in tusers) + 2*(group in tgroups)]

          if trusted:

              trusted = ', but we trust the ' + trusted

          print('# %s user, %s group%s' % (kind[user == cuser], kind[group == cgroup],

                                           trusted))

          u = uimod.ui.load()

          u.setconfig('ui', 'debug', str(bool(debug)))

          u.setconfig('ui', 'report_untrusted', str(bool(report)))

          u.readconfig('.hg/hgrc')

          if silent:

              return u

          print('trusted')

          for name, path in u.configitems('paths'):

              print('   ', name, '=', path)

          print('untrusted')

          for name, path in u.configitems('paths', untrusted=True):

              print('.', end=' ')

              u.config('paths', name) # warning with debug=True

              print('.', end=' ')

              u.config('paths', name, untrusted=True) # no warnings

              print(name, '=', path)

          print()

          return u

      os.mkdir('repo')

      os.chdir('repo')

      os.mkdir('.hg')

      f = open('.hg/hgrc', 'w')

      f.write('[paths]\n')

      f.write('local = /another/path\n\n')

      f.close()

      #print '# Everything is run by user foo, group bar\n'

      # same user, same group

      testui()

      # same user, different group

      testui(group='def')

      # different user, same group

      testui(user='abc')

      # ... but we trust the group

      testui(user='abc', tgroups=['bar'])

      # different user, different group

      testui(user='abc', group='def')

      # ... but we trust the user

      testui(user='abc', group='def', tusers=['abc'])

      # ... but we trust the group

      testui(user='abc', group='def', tgroups=['def'])

      # ... but we trust the user and the group

      testui(user='abc', group='def', tusers=['abc'], tgroups=['def'])

      # ... but we trust all users

      print('# we trust all users')

      testui(user='abc', group='def', tusers=['*'])

      # ... but we trust all groups

      print('# we trust all groups')

      testui(user='abc', group='def', tgroups=['*'])

      # ... but we trust the whole universe

      print('# we trust all users and groups')

      testui(user='abc', group='def', tusers=['*'], tgroups=['*'])

      # ... check that users and groups are in different namespaces

      print("# we don't get confused by users and groups with the same name")

      testui(user='abc', group='def', tusers=['def'], tgroups=['abc'])

      # ... lists of user names work

      print("# list of user names")

      testui(user='abc', group='def', tusers=['foo', 'xyz', 'abc', 'bleh'],

             tgroups=['bar', 'baz', 'qux'])

      # ... lists of group names work

      print("# list of group names")

      testui(user='abc', group='def', tusers=['foo', 'xyz', 'bleh'],

             tgroups=['bar', 'def', 'baz', 'qux'])

      print("# Can't figure out the name of the user running this process")

      testui(user='abc', group='def', cuser=None)

      print("# prints debug warnings")

      u = testui(user='abc', group='def', cuser='foo', debug=True)

      print("# report_untrusted enabled without debug hides warnings")

      u = testui(user='abc', group='def', cuser='foo', report=False)

      print("# report_untrusted enabled with debug shows warnings")

      u = testui(user='abc', group='def', cuser='foo', debug=True, report=False)

      print("# ui.readconfig sections")

      filename = 'foobar'

      f = open(filename, 'w')

      f.write('[foobar]\n')

      f.write('baz = quux\n')

      f.close()

      u.readconfig(filename, sections=['foobar'])

      print(u.config('foobar', 'baz'))

      print()

      print("# read trusted, untrusted, new ui, trusted")

      u = uimod.ui.load()

      u.setconfig('ui', 'debug', 'on')

      u.readconfig(filename)

      u2 = u.copy()

      def username(uid=None):

          return 'foo'

      util.username = username

      u2.readconfig('.hg/hgrc')

      print('trusted:')

      print(u2.config('foobar', 'baz'))

      print('untrusted:')

      print(u2.config('foobar', 'baz', untrusted=True))

      print()

      print("# error handling")

      def assertraises(f, exc=error.Abort):

          try:

              f()

          except exc as inst:

              print('raised', inst.__class__.__name__)

          else:

              print('no exception?!')

      print("# file doesn't exist")

      os.unlink('.hg/hgrc')

      assert not os.path.exists('.hg/hgrc')

      testui(debug=True, silent=True)

      testui(user='abc', group='def', debug=True, silent=True)

      print()

      print("# parse error")

      f = open('.hg/hgrc', 'w')

      f.write('foo')

      f.close()

      try:

          testui(user='abc', group='def', silent=True)

      except error.ParseError as inst:

          print(inst)

      try:

          testui(debug=True, silent=True)

      except error.ParseError as inst:

          print(inst)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				# Since it's not easy to write a test that portably deals
				# with files from different users/groups, we cheat a bit by
				# monkey-patching some functions in the util module

				from __future__ import absolute_import, print_function

				import os
				from mercurial import (
				error,
				ui as uimod,
				util,
				)

				hgrc = os.environ['HGRCPATH']
				f = open(hgrc)
				basehgrc = f.read()
				f.close()

				def testui(user='foo', group='bar', tusers=(), tgroups=(),
				cuser='foo', cgroup='bar', debug=False, silent=False,
				report=True):
				# user, group => owners of the file
				# tusers, tgroups => trusted users/groups
				# cuser, cgroup => user/group of the current process

				# write a global hgrc with the list of trusted users/groups and
				# some setting so that we can be sure it was read
				f = open(hgrc, 'w')
				f.write(basehgrc)
				f.write('\n[paths]\n')
				f.write('global = /some/path\n\n')

				if tusers or tgroups:
				f.write('[trusted]\n')
				if tusers:
				f.write('users = %s\n' % ', '.join(tusers))
				if tgroups:
				f.write('groups = %s\n' % ', '.join(tgroups))
				f.close()

				# override the functions that give names to uids and gids
				def username(uid=None):
				if uid is None:
				return cuser
				return user
				util.username = username

				def groupname(gid=None):
				if gid is None:
				return 'bar'
				return group
				util.groupname = groupname

				def isowner(st):
				return user == cuser
				util.isowner = isowner

				# try to read everything
				#print '# File belongs to user %s, group %s' % (user, group)
				#print '# trusted users = %s; trusted groups = %s' % (tusers, tgroups)
				kind = ('different', 'same')
				who = ('', 'user', 'group', 'user and the group')
				trusted = who[(user in tusers) + 2*(group in tgroups)]
				if trusted:
				trusted = ', but we trust the ' + trusted
				print('# %s user, %s group%s' % (kind[user == cuser], kind[group == cgroup],
				trusted))

				u = uimod.ui.load()
				u.setconfig('ui', 'debug', str(bool(debug)))
				u.setconfig('ui', 'report_untrusted', str(bool(report)))
				u.readconfig('.hg/hgrc')
				if silent:
				return u
				print('trusted')
				for name, path in u.configitems('paths'):
				print(' ', name, '=', path)
				print('untrusted')
				for name, path in u.configitems('paths', untrusted=True):
				print('.', end=' ')
				u.config('paths', name) # warning with debug=True
				print('.', end=' ')
				u.config('paths', name, untrusted=True) # no warnings
				print(name, '=', path)
				print()

				return u

				os.mkdir('repo')
				os.chdir('repo')
				os.mkdir('.hg')
				f = open('.hg/hgrc', 'w')
				f.write('[paths]\n')
				f.write('local = /another/path\n\n')
				f.close()

				#print '# Everything is run by user foo, group bar\n'

				# same user, same group
				testui()
				# same user, different group
				testui(group='def')
				# different user, same group
				testui(user='abc')
				# ... but we trust the group
				testui(user='abc', tgroups=['bar'])
				# different user, different group
				testui(user='abc', group='def')
				# ... but we trust the user
				testui(user='abc', group='def', tusers=['abc'])
				# ... but we trust the group
				testui(user='abc', group='def', tgroups=['def'])
				# ... but we trust the user and the group
				testui(user='abc', group='def', tusers=['abc'], tgroups=['def'])
				# ... but we trust all users
				print('# we trust all users')
				testui(user='abc', group='def', tusers=['*'])
				# ... but we trust all groups
				print('# we trust all groups')
				testui(user='abc', group='def', tgroups=['*'])
				# ... but we trust the whole universe
				print('# we trust all users and groups')
				testui(user='abc', group='def', tusers=[''], tgroups=[''])
				# ... check that users and groups are in different namespaces
				print("# we don't get confused by users and groups with the same name")
				testui(user='abc', group='def', tusers=['def'], tgroups=['abc'])
				# ... lists of user names work
				print("# list of user names")
				testui(user='abc', group='def', tusers=['foo', 'xyz', 'abc', 'bleh'],
				tgroups=['bar', 'baz', 'qux'])
				# ... lists of group names work
				print("# list of group names")
				testui(user='abc', group='def', tusers=['foo', 'xyz', 'bleh'],
				tgroups=['bar', 'def', 'baz', 'qux'])

				print("# Can't figure out the name of the user running this process")
				testui(user='abc', group='def', cuser=None)

				print("# prints debug warnings")
				u = testui(user='abc', group='def', cuser='foo', debug=True)

				print("# report_untrusted enabled without debug hides warnings")
				u = testui(user='abc', group='def', cuser='foo', report=False)

				print("# report_untrusted enabled with debug shows warnings")
				u = testui(user='abc', group='def', cuser='foo', debug=True, report=False)

				print("# ui.readconfig sections")
				filename = 'foobar'
				f = open(filename, 'w')
				f.write('[foobar]\n')
				f.write('baz = quux\n')
				f.close()
				u.readconfig(filename, sections=['foobar'])
				print(u.config('foobar', 'baz'))

				print()
				print("# read trusted, untrusted, new ui, trusted")
				u = uimod.ui.load()
				u.setconfig('ui', 'debug', 'on')
				u.readconfig(filename)
				u2 = u.copy()
				def username(uid=None):
				return 'foo'
				util.username = username
				u2.readconfig('.hg/hgrc')
				print('trusted:')
				print(u2.config('foobar', 'baz'))
				print('untrusted:')
				print(u2.config('foobar', 'baz', untrusted=True))

				print()
				print("# error handling")

				def assertraises(f, exc=error.Abort):
				try:
				f()
				except exc as inst:
				print('raised', inst.__class__.__name__)
				else:
				print('no exception?!')

				print("# file doesn't exist")
				os.unlink('.hg/hgrc')
				assert not os.path.exists('.hg/hgrc')
				testui(debug=True, silent=True)
				testui(user='abc', group='def', debug=True, silent=True)

				print()
				print("# parse error")
				f = open('.hg/hgrc', 'w')
				f.write('foo')
				f.close()

				try:
				testui(user='abc', group='def', silent=True)
				except error.ParseError as inst:
				print(inst)

				try:
				testui(debug=True, silent=True)
				except error.ParseError as inst:
				print(inst)