upstream/mercurial-mirror Files · tests/test-devel-warnings.t

convert: test for shell injection in git calls (SEC)...

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

timeless - - Load All Authors

File last commit:

r28498:d09be0b8 default


                r28663:ae279d4a

3.7.3 stable

Download file

             test-devel-warnings.t
        
                    141 lines
            
             | 4.7 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-devel-warnings.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

        $ cat << EOF > buggylocking.py

        > """A small extension that tests our developer warnings

        > """

        > 

        > from mercurial import cmdutil, repair, revset

        > 

        > cmdtable = {}

        > command = cmdutil.command(cmdtable)

        > 

        > @command('buggylocking', [], '')

        > def buggylocking(ui, repo):

        >     tr = repo.transaction('buggy')

        >     lo = repo.lock()

        >     wl = repo.wlock()

        >     wl.release()

        >     lo.release()

        > 

        > @command('properlocking', [], '')

        > def properlocking(ui, repo):

        >     """check that reentrance is fine"""

        >     wl = repo.wlock()

        >     lo = repo.lock()

        >     tr = repo.transaction('proper')

        >     tr2 = repo.transaction('proper')

        >     lo2 = repo.lock()

        >     wl2 = repo.wlock()

        >     wl2.release()

        >     lo2.release()

        >     tr2.close()

        >     tr.close()

        >     lo.release()

        >     wl.release()

        > 

        > @command('nowaitlocking', [], '')

        > def nowaitlocking(ui, repo):

        >     lo = repo.lock()

        >     wl = repo.wlock(wait=False)

        >     wl.release()

        >     lo.release()

        > 

        > @command('stripintr', [], '')

        > def stripintr(ui, repo):

        >     lo = repo.lock()

        >     tr = repo.transaction('foobar')

        >     try:

        >         repair.strip(repo.ui, repo, [repo['.'].node()])

        >     finally:

        >         lo.release()

        > @command('oldanddeprecated', [], '')

        > def oldanddeprecated(ui, repo):

        >     """test deprecation warning API"""

        >     def foobar(ui):

        >         ui.deprecwarn('foorbar is deprecated, go shopping', '42.1337')

        >     foobar(ui)

        > 

        > def oldstylerevset(repo, subset, x):

        >     return list(subset)

        > 

        > revset.symbols['oldstyle'] = oldstylerevset

        > EOF

        $ cat << EOF >> $HGRCPATH

        > [extensions]

        > buggylocking=$TESTTMP/buggylocking.py

        > [devel]

        > all-warnings=1

        > EOF

        $ hg init lock-checker

        $ cd lock-checker

        $ hg buggylocking

        devel-warn: transaction with no lock at: $TESTTMP/buggylocking.py:11 (buggylocking)

        devel-warn: "wlock" acquired after "lock" at: $TESTTMP/buggylocking.py:13 (buggylocking)

        $ cat << EOF >> $HGRCPATH

        > [devel]

        > all=0

        > check-locks=1

        > EOF

        $ hg buggylocking

        devel-warn: transaction with no lock at: $TESTTMP/buggylocking.py:11 (buggylocking)

        devel-warn: "wlock" acquired after "lock" at: $TESTTMP/buggylocking.py:13 (buggylocking)

        $ hg buggylocking --traceback

        devel-warn: transaction with no lock at:

         */hg:* in * (glob)

         */mercurial/dispatch.py:* in run (glob)

         */mercurial/dispatch.py:* in dispatch (glob)

         */mercurial/dispatch.py:* in _runcatch (glob)

         */mercurial/dispatch.py:* in _dispatch (glob)

         */mercurial/dispatch.py:* in runcommand (glob)

         */mercurial/dispatch.py:* in _runcommand (glob)

         */mercurial/dispatch.py:* in checkargs (glob)

         */mercurial/dispatch.py:* in <lambda> (glob)

         */mercurial/util.py:* in check (glob)

         $TESTTMP/buggylocking.py:* in buggylocking (glob)

        devel-warn: "wlock" acquired after "lock" at:

         */hg:* in * (glob)

         */mercurial/dispatch.py:* in run (glob)

         */mercurial/dispatch.py:* in dispatch (glob)

         */mercurial/dispatch.py:* in _runcatch (glob)

         */mercurial/dispatch.py:* in _dispatch (glob)

         */mercurial/dispatch.py:* in runcommand (glob)

         */mercurial/dispatch.py:* in _runcommand (glob)

         */mercurial/dispatch.py:* in checkargs (glob)

         */mercurial/dispatch.py:* in <lambda> (glob)

         */mercurial/util.py:* in check (glob)

         $TESTTMP/buggylocking.py:* in buggylocking (glob)

        $ hg properlocking

        $ hg nowaitlocking

        $ echo a > a

        $ hg add a

        $ hg commit -m a

        $ hg stripintr

        saved backup bundle to $TESTTMP/lock-checker/.hg/strip-backup/cb9a9f314b8b-cc5ccb0b-backup.hg (glob)

        abort: programming error: cannot strip from inside a transaction

        (contact your extension maintainer)

        [255]

        $ hg log -r "oldstyle()" -T '{rev}\n'

        devel-warn: revset "oldstyle" use list instead of smartset, (upgrade your code) at: */mercurial/revset.py:* (mfunc) (glob)

        0

        $ hg oldanddeprecated

        devel-warn: foorbar is deprecated, go shopping

        (compatibility will be dropped after Mercurial-42.1337, update your code.) at: $TESTTMP/buggylocking.py:53 (oldanddeprecated)

        $ hg oldanddeprecated --traceback

        devel-warn: foorbar is deprecated, go shopping

        (compatibility will be dropped after Mercurial-42.1337, update your code.) at:

         */hg:* in <module> (glob)

         */mercurial/dispatch.py:* in run (glob)

         */mercurial/dispatch.py:* in dispatch (glob)

         */mercurial/dispatch.py:* in _runcatch (glob)

         */mercurial/dispatch.py:* in _dispatch (glob)

         */mercurial/dispatch.py:* in runcommand (glob)

         */mercurial/dispatch.py:* in _runcommand (glob)

         */mercurial/dispatch.py:* in checkargs (glob)

         */mercurial/dispatch.py:* in <lambda> (glob)

         */mercurial/util.py:* in check (glob)

         $TESTTMP/buggylocking.py:* in oldanddeprecated (glob)

        $ cd ..

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages


				$ cat << EOF > buggylocking.py
				> """A small extension that tests our developer warnings
				> """
				>
				> from mercurial import cmdutil, repair, revset
				>
				> cmdtable = {}
				> command = cmdutil.command(cmdtable)
				>
				> @command('buggylocking', [], '')
				> def buggylocking(ui, repo):
				> tr = repo.transaction('buggy')
				> lo = repo.lock()
				> wl = repo.wlock()
				> wl.release()
				> lo.release()
				>
				> @command('properlocking', [], '')
				> def properlocking(ui, repo):
				> """check that reentrance is fine"""
				> wl = repo.wlock()
				> lo = repo.lock()
				> tr = repo.transaction('proper')
				> tr2 = repo.transaction('proper')
				> lo2 = repo.lock()
				> wl2 = repo.wlock()
				> wl2.release()
				> lo2.release()
				> tr2.close()
				> tr.close()
				> lo.release()
				> wl.release()
				>
				> @command('nowaitlocking', [], '')
				> def nowaitlocking(ui, repo):
				> lo = repo.lock()
				> wl = repo.wlock(wait=False)
				> wl.release()
				> lo.release()
				>
				> @command('stripintr', [], '')
				> def stripintr(ui, repo):
				> lo = repo.lock()
				> tr = repo.transaction('foobar')
				> try:
				> repair.strip(repo.ui, repo, [repo['.'].node()])
				> finally:
				> lo.release()
				> @command('oldanddeprecated', [], '')
				> def oldanddeprecated(ui, repo):
				> """test deprecation warning API"""
				> def foobar(ui):
				> ui.deprecwarn('foorbar is deprecated, go shopping', '42.1337')
				> foobar(ui)
				>
				> def oldstylerevset(repo, subset, x):
				> return list(subset)
				>
				> revset.symbols['oldstyle'] = oldstylerevset
				> EOF

				$ cat << EOF >> $HGRCPATH
				> [extensions]
				> buggylocking=$TESTTMP/buggylocking.py
				> [devel]
				> all-warnings=1
				> EOF

				$ hg init lock-checker
				$ cd lock-checker
				$ hg buggylocking
				devel-warn: transaction with no lock at: $TESTTMP/buggylocking.py:11 (buggylocking)
				devel-warn: "wlock" acquired after "lock" at: $TESTTMP/buggylocking.py:13 (buggylocking)
				$ cat << EOF >> $HGRCPATH
				> [devel]
				> all=0
				> check-locks=1
				> EOF
				$ hg buggylocking
				devel-warn: transaction with no lock at: $TESTTMP/buggylocking.py:11 (buggylocking)
				devel-warn: "wlock" acquired after "lock" at: $TESTTMP/buggylocking.py:13 (buggylocking)
				$ hg buggylocking --traceback
				devel-warn: transaction with no lock at:
				/hg: in * (glob)
				/mercurial/dispatch.py: in run (glob)
				/mercurial/dispatch.py: in dispatch (glob)
				/mercurial/dispatch.py: in _runcatch (glob)
				/mercurial/dispatch.py: in _dispatch (glob)
				/mercurial/dispatch.py: in runcommand (glob)
				/mercurial/dispatch.py: in _runcommand (glob)
				/mercurial/dispatch.py: in checkargs (glob)
				/mercurial/dispatch.py: in <lambda> (glob)
				/mercurial/util.py: in check (glob)
				$TESTTMP/buggylocking.py:* in buggylocking (glob)
				devel-warn: "wlock" acquired after "lock" at:
				/hg: in * (glob)
				/mercurial/dispatch.py: in run (glob)
				/mercurial/dispatch.py: in dispatch (glob)
				/mercurial/dispatch.py: in _runcatch (glob)
				/mercurial/dispatch.py: in _dispatch (glob)
				/mercurial/dispatch.py: in runcommand (glob)
				/mercurial/dispatch.py: in _runcommand (glob)
				/mercurial/dispatch.py: in checkargs (glob)
				/mercurial/dispatch.py: in <lambda> (glob)
				/mercurial/util.py: in check (glob)
				$TESTTMP/buggylocking.py:* in buggylocking (glob)
				$ hg properlocking
				$ hg nowaitlocking

				$ echo a > a
				$ hg add a
				$ hg commit -m a
				$ hg stripintr
				saved backup bundle to $TESTTMP/lock-checker/.hg/strip-backup/cb9a9f314b8b-cc5ccb0b-backup.hg (glob)
				abort: programming error: cannot strip from inside a transaction
				(contact your extension maintainer)
				[255]

				$ hg log -r "oldstyle()" -T '{rev}\n'
				devel-warn: revset "oldstyle" use list instead of smartset, (upgrade your code) at: /mercurial/revset.py: (mfunc) (glob)
				0
				$ hg oldanddeprecated
				devel-warn: foorbar is deprecated, go shopping
				(compatibility will be dropped after Mercurial-42.1337, update your code.) at: $TESTTMP/buggylocking.py:53 (oldanddeprecated)

				$ hg oldanddeprecated --traceback
				devel-warn: foorbar is deprecated, go shopping
				(compatibility will be dropped after Mercurial-42.1337, update your code.) at:
				/hg: in <module> (glob)
				/mercurial/dispatch.py: in run (glob)
				/mercurial/dispatch.py: in dispatch (glob)
				/mercurial/dispatch.py: in _runcatch (glob)
				/mercurial/dispatch.py: in _dispatch (glob)
				/mercurial/dispatch.py: in runcommand (glob)
				/mercurial/dispatch.py: in _runcommand (glob)
				/mercurial/dispatch.py: in checkargs (glob)
				/mercurial/dispatch.py: in <lambda> (glob)
				/mercurial/util.py: in check (glob)
				$TESTTMP/buggylocking.py:* in oldanddeprecated (glob)
				$ cd ..