view tests/test-abort-checkin.t @ 28663:ae279d4a19e9 stable 3.7.3

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.
author Mateusz Kwapich <mitrandir@fb.com>
date Tue, 22 Mar 2016 17:27:27 -0700
parents 56b2bcea2529
children f798709eb4b9
line wrap: on
line source

  $ cat > abortcommit.py <<EOF
  > from mercurial import error
  > def hook(**args):
  >     raise error.Abort("no commits allowed")
  > def reposetup(ui, repo):
  >     repo.ui.setconfig("hooks", "pretxncommit.nocommits", hook)
  > EOF
  $ abspath=`pwd`/abortcommit.py

  $ cat <<EOF >> $HGRCPATH
  > [extensions]
  > mq =
  > abortcommit = $abspath
  > EOF

  $ hg init foo
  $ cd foo
  $ echo foo > foo
  $ hg add foo

mq may keep a reference to the repository so __del__ will not be
called and .hg/journal.dirstate will not be deleted:

  $ hg ci -m foo
  error: pretxncommit.nocommits hook failed: no commits allowed
  transaction abort!
  rollback completed
  abort: no commits allowed
  [255]
  $ hg ci -m foo
  error: pretxncommit.nocommits hook failed: no commits allowed
  transaction abort!
  rollback completed
  abort: no commits allowed
  [255]

  $ cd ..