Mercurial > hg
comparison tests/test-convert-git.t @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
| author | Mateusz Kwapich <mitrandir@fb.com> |
|---|---|
| date | Tue, 22 Mar 2016 17:27:27 -0700 |
| parents | cdda7b96afff |
| children | 4a359b8f8fae |
comparison
equal
deleted
inserted
replaced
| 28662:80cac1de6aea | 28663:ae279d4a19e9 |
|---|---|
| 727 | 727 |
| 728 $ TREE_OBJ=72/49f083d2a63a41cc737764a86981eb5f3e4635 | 728 $ TREE_OBJ=72/49f083d2a63a41cc737764a86981eb5f3e4635 |
| 729 $ mv git-repo4/.git/objects/$TREE_OBJ git-repo4/.git/objects/$TREE_OBJ.tmp | 729 $ mv git-repo4/.git/objects/$TREE_OBJ git-repo4/.git/objects/$TREE_OBJ.tmp |
| 730 $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:' | 730 $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:' |
| 731 abort: cannot read changes in 1c0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd | 731 abort: cannot read changes in 1c0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd |
| 732 | |
| 733 test for escaping the repo name (CVE-2016-3069) | |
| 734 | |
| 735 $ git init '`echo pwned >COMMAND-INJECTION`' | |
| 736 Initialized empty Git repository in $TESTTMP/`echo pwned >COMMAND-INJECTION`/.git/ | |
| 737 $ cd '`echo pwned >COMMAND-INJECTION`' | |
| 738 $ git commit -q --allow-empty -m 'empty' | |
| 739 $ cd .. | |
| 740 $ hg convert '`echo pwned >COMMAND-INJECTION`' 'converted' | |
| 741 initializing destination converted repository | |
| 742 scanning source... | |
| 743 sorting... | |
| 744 converting... | |
| 745 0 empty | |
| 746 updating bookmarks | |
| 747 $ test -f COMMAND-INJECTION | |
| 748 [1] |