upstream/mercurial-mirror Files · tests/test-template-engine.t

convert: test for shell injection in git calls (SEC)...

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

Yuya Nishihara - - Load All Authors

File last commit:

r28213:93b5c540 default


                r28663:ae279d4a

3.7.3 stable

Download file

             test-template-engine.t
        
                    60 lines
            
             | 1.7 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-template-engine.t
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

        $ cat > engine.py << EOF

        > 

        > from mercurial import templater

        > 

        > class mytemplater(object):

        >     def __init__(self, loader, filters, defaults):

        >         self.loader = loader

        > 

        >     def process(self, t, map):

        >         tmpl = self.loader(t)

        >         for k, v in map.iteritems():

        >             if k in ('templ', 'ctx', 'repo', 'revcache', 'cache'):

        >                 continue

        >             if hasattr(v, '__call__'):

        >                 v = v(**map)

        >             v = templater.stringify(v)

        >             tmpl = tmpl.replace('{{%s}}' % k, v)

        >         yield tmpl

        > 

        > templater.engines['my'] = mytemplater

        > EOF

        $ hg init test

        $ echo '[extensions]' > test/.hg/hgrc

        $ echo "engine = `pwd`/engine.py" >> test/.hg/hgrc

        $ cd test

        $ cat > mymap << EOF

        > changeset = my:changeset.txt

        > EOF

        $ cat > changeset.txt << EOF

        > {{rev}} {{node}} {{author}}

        > EOF

        $ hg ci -Ama

        adding changeset.txt

        adding mymap

        $ hg log --style=./mymap

        0 97e5f848f0936960273bbf75be6388cd0350a32b test

        $ cat > changeset.txt << EOF

        > {{p1rev}} {{p1node}} {{p2rev}} {{p2node}}

        > EOF

        $ hg ci -Ama

        $ hg log --style=./mymap

        0 97e5f848f0936960273bbf75be6388cd0350a32b -1 0000000000000000000000000000000000000000

        -1 0000000000000000000000000000000000000000 -1 0000000000000000000000000000000000000000

      Fuzzing the unicode escaper to ensure it produces valid data

      #if hypothesis

        >>> from hypothesishelpers import *

        >>> import mercurial.templatefilters as tf

        >>> import json

        >>> @check(st.text().map(lambda s: s.encode('utf-8')))

        ... def testtfescapeproducesvalidjson(text):

        ...     json.loads('"' + tf.jsonescape(text) + '"')

      #endif

        $ cd ..

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages


				$ cat > engine.py << EOF
				>
				> from mercurial import templater
				>
				> class mytemplater(object):
				> def __init__(self, loader, filters, defaults):
				> self.loader = loader
				>
				> def process(self, t, map):
				> tmpl = self.loader(t)
				> for k, v in map.iteritems():
				> if k in ('templ', 'ctx', 'repo', 'revcache', 'cache'):
				> continue
				> if hasattr(v, '__call__'):
				> v = v(**map)
				> v = templater.stringify(v)
				> tmpl = tmpl.replace('{{%s}}' % k, v)
				> yield tmpl
				>
				> templater.engines['my'] = mytemplater
				> EOF
				$ hg init test
				$ echo '[extensions]' > test/.hg/hgrc
				$ echo "engine = `pwd`/engine.py" >> test/.hg/hgrc
				$ cd test
				$ cat > mymap << EOF
				> changeset = my:changeset.txt
				> EOF
				$ cat > changeset.txt << EOF
				> {{rev}} {{node}} {{author}}
				> EOF
				$ hg ci -Ama
				adding changeset.txt
				adding mymap
				$ hg log --style=./mymap
				0 97e5f848f0936960273bbf75be6388cd0350a32b test

				$ cat > changeset.txt << EOF
				> {{p1rev}} {{p1node}} {{p2rev}} {{p2node}}
				> EOF
				$ hg ci -Ama
				$ hg log --style=./mymap
				0 97e5f848f0936960273bbf75be6388cd0350a32b -1 0000000000000000000000000000000000000000
				-1 0000000000000000000000000000000000000000 -1 0000000000000000000000000000000000000000

				Fuzzing the unicode escaper to ensure it produces valid data

				#if hypothesis

				>>> from hypothesishelpers import *
				>>> import mercurial.templatefilters as tf
				>>> import json
				>>> @check(st.text().map(lambda s: s.encode('utf-8')))
				... def testtfescapeproducesvalidjson(text):
				... json.loads('"' + tf.jsonescape(text) + '"')

				#endif

				$ cd ..