Mercurial > hg
annotate tests/test-pull-http.t @ 33650:0b3fe3910ef5 stable
util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Fri, 28 Jul 2017 16:32:25 -0700 |
parents | 4431add9aef9 |
children | eb586ed5d8ce |
rev | line source |
---|---|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18851
diff
changeset
|
1 #require killdaemons |
4288
8a3e12426c03
test-push-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
2673
diff
changeset
|
2 |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
3 $ hg init test |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
4 $ cd test |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
5 $ echo a > a |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
6 $ hg ci -Ama |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
7 adding a |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
8 $ cd .. |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
9 $ hg clone test test2 |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
10 updating to branch default |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
11 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
12 $ cd test2 |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
13 $ echo a >> a |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
14 $ hg ci -mb |
2481
5c65b4e51610
add tests for push over http.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
15 |
15552
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
16 Cloning with a password in the URL should not save the password in .hg/hgrc: |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
17 |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
18 $ hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
19 $ cat hg.pid >> $DAEMON_PIDS |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
20 $ hg clone http://foo:xyzzy@localhost:$HGPORT/ test3 |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
21 requesting all changes |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
22 adding changesets |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
23 adding manifests |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
24 adding file changes |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
25 added 2 changesets with 2 changes to 1 files |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
26 updating to branch default |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
27 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
28 $ cat test3/.hg/hgrc |
29978
3d2ea1403c62
samplehgrcs: use single quotes in use warning
timeless <timeless@mozdev.org>
parents:
29688
diff
changeset
|
29 # example repository config (see 'hg help config' for more info) |
15552
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
30 [paths] |
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
31 default = http://foo@localhost:$HGPORT/ |
22837
2be7d5ebd4d0
config: use the same hgrc for a cloned repo as for an uninitted repo
Jordi Gutiérrez Hermoso <jordigh@octave.org>
parents:
22645
diff
changeset
|
32 |
2be7d5ebd4d0
config: use the same hgrc for a cloned repo as for an uninitted repo
Jordi Gutiérrez Hermoso <jordigh@octave.org>
parents:
22645
diff
changeset
|
33 # path aliases to other clones of this repo in URLs or filesystem paths |
29978
3d2ea1403c62
samplehgrcs: use single quotes in use warning
timeless <timeless@mozdev.org>
parents:
29688
diff
changeset
|
34 # (see 'hg help config.paths' for more info) |
22837
2be7d5ebd4d0
config: use the same hgrc for a cloned repo as for an uninitted repo
Jordi Gutiérrez Hermoso <jordigh@octave.org>
parents:
22645
diff
changeset
|
35 # |
31064
4431add9aef9
ui: replace obsolete default-push with default:pushurl (issue5485)
Rishabh Madan <rishabhmadan96@gmail.com>
parents:
29978
diff
changeset
|
36 # default:pushurl = ssh://jdoe@example.net/hg/jdoes-fork |
4431add9aef9
ui: replace obsolete default-push with default:pushurl (issue5485)
Rishabh Madan <rishabhmadan96@gmail.com>
parents:
29978
diff
changeset
|
37 # my-fork = ssh://jdoe@example.net/hg/jdoes-fork |
4431add9aef9
ui: replace obsolete default-push with default:pushurl (issue5485)
Rishabh Madan <rishabhmadan96@gmail.com>
parents:
29978
diff
changeset
|
38 # my-clone = /home/jdoe/jdoes-clone |
22837
2be7d5ebd4d0
config: use the same hgrc for a cloned repo as for an uninitted repo
Jordi Gutiérrez Hermoso <jordigh@octave.org>
parents:
22645
diff
changeset
|
39 |
2be7d5ebd4d0
config: use the same hgrc for a cloned repo as for an uninitted repo
Jordi Gutiérrez Hermoso <jordigh@octave.org>
parents:
22645
diff
changeset
|
40 [ui] |
2be7d5ebd4d0
config: use the same hgrc for a cloned repo as for an uninitted repo
Jordi Gutiérrez Hermoso <jordigh@octave.org>
parents:
22645
diff
changeset
|
41 # name and email (local to this repository, optional), e.g. |
2be7d5ebd4d0
config: use the same hgrc for a cloned repo as for an uninitted repo
Jordi Gutiérrez Hermoso <jordigh@octave.org>
parents:
22645
diff
changeset
|
42 # username = Jane Doe <jdoe@example.com> |
25474
8c14f87bd0ae
tests: drop DAEMON_PIDS from killdaemons calls
Matt Mackall <mpm@selenic.com>
parents:
25472
diff
changeset
|
43 $ killdaemons.py |
15552
62c9183a0bbb
clone: don't save user's password in .hg/hgrc (Issue3122)
Augie Fackler <durin42@gmail.com>
parents:
13405
diff
changeset
|
44 |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
45 expect error, cloning not allowed |
2481
5c65b4e51610
add tests for push over http.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
46 |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
47 $ echo '[web]' > .hg/hgrc |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
48 $ echo 'allowpull = false' >> .hg/hgrc |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
49 $ hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
50 $ cat hg.pid >> $DAEMON_PIDS |
29688
30c59bdd4f41
tests: remove all remaining usage of experimental.bundle2-exp
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents:
29687
diff
changeset
|
51 $ hg clone http://localhost:$HGPORT/ test4 # bundle2+ |
25372
df723a2655e9
test: use both bundle formats in test-pull-http
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
22837
diff
changeset
|
52 requesting all changes |
df723a2655e9
test: use both bundle formats in test-pull-http
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
22837
diff
changeset
|
53 abort: authorization failed |
df723a2655e9
test: use both bundle formats in test-pull-http
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
22837
diff
changeset
|
54 [255] |
29687
ac9b85079122
tests: use 'legacy.exchange' option in various mixed tests
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents:
25474
diff
changeset
|
55 $ hg clone http://localhost:$HGPORT/ test4 --config devel.legacy.exchange=bundle1 |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
56 abort: authorization failed |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
57 [255] |
25474
8c14f87bd0ae
tests: drop DAEMON_PIDS from killdaemons calls
Matt Mackall <mpm@selenic.com>
parents:
25472
diff
changeset
|
58 $ killdaemons.py |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
59 |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
60 serve errors |
6778
959efdac4a9c
tests: add some tests for web.allowpull configurations
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
6167
diff
changeset
|
61 |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
62 $ cat errors.log |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
63 $ req() { |
12743
4c4aeaab2339
check-code: add 'no tab indent' check for unified tests
Adrian Buehlmann <adrian@cadifra.com>
parents:
12643
diff
changeset
|
64 > hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log |
4c4aeaab2339
check-code: add 'no tab indent' check for unified tests
Adrian Buehlmann <adrian@cadifra.com>
parents:
12643
diff
changeset
|
65 > cat hg.pid >> $DAEMON_PIDS |
4c4aeaab2339
check-code: add 'no tab indent' check for unified tests
Adrian Buehlmann <adrian@cadifra.com>
parents:
12643
diff
changeset
|
66 > hg --cwd ../test pull http://localhost:$HGPORT/ |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25405
diff
changeset
|
67 > killdaemons.py hg.pid |
12743
4c4aeaab2339
check-code: add 'no tab indent' check for unified tests
Adrian Buehlmann <adrian@cadifra.com>
parents:
12643
diff
changeset
|
68 > echo % serve errors |
4c4aeaab2339
check-code: add 'no tab indent' check for unified tests
Adrian Buehlmann <adrian@cadifra.com>
parents:
12643
diff
changeset
|
69 > cat errors.log |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
70 > } |
6167
f53b9a383476
tests: easier hg serve error diagnosis
Dirkjan Ochtman <dirkjan@ochtman.nl>
parents:
5386
diff
changeset
|
71 |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
72 expect error, pulling not allowed |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
73 |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
74 $ req |
12643
d08bb64888bc
tests: reintroduce ":$HGPORT" in test output
Mads Kiilerich <mads@kiilerich.com>
parents:
12480
diff
changeset
|
75 pulling from http://localhost:$HGPORT/ |
25391
c66d95aa1270
test: use bundle2 in test-pull-http
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25372
diff
changeset
|
76 searching for changes |
12480
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
77 abort: authorization failed |
4a5048c359d7
tests: unify test-pull-http
Matt Mackall <mpm@selenic.com>
parents:
10398
diff
changeset
|
78 % serve errors |
16913
f2719b387380
tests: add missing trailing 'cd ..'
Mads Kiilerich <mads@kiilerich.com>
parents:
15555
diff
changeset
|
79 |
f2719b387380
tests: add missing trailing 'cd ..'
Mads Kiilerich <mads@kiilerich.com>
parents:
15555
diff
changeset
|
80 $ cd .. |