Mercurial > hg
view tests/test-filelog.py @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | ce26928cbe41 |
children | 83373fc2b287 |
line wrap: on
line source
#!/usr/bin/env python """ Tests the behavior of filelog w.r.t. data starting with '\1\n' """ from mercurial import ui, hg from mercurial.node import nullid, hex myui = ui.ui() repo = hg.repository(myui, path='.', create=True) fl = repo.file('foobar') def addrev(text, renamed=False): if renamed: # data doesn't matter. Just make sure filelog.renamed() returns True meta = {'copyrev': hex(nullid), 'copy': 'bar'} else: meta = {} lock = t = None try: lock = repo.lock() t = repo.transaction('commit') node = fl.add(text, meta, t, 0, nullid, nullid) return node finally: if t: t.close() if lock: lock.release() def error(text): print 'ERROR: ' + text textwith = '\1\nfoo' without = 'foo' node = addrev(textwith) if not textwith == fl.read(node): error('filelog.read for data starting with \\1\\n') if fl.cmp(node, textwith) or not fl.cmp(node, without): error('filelog.cmp for data starting with \\1\\n') if fl.size(0) != len(textwith): error('FIXME: This is a known failure of filelog.size for data starting ' 'with \\1\\n') node = addrev(textwith, renamed=True) if not textwith == fl.read(node): error('filelog.read for a renaming + data starting with \\1\\n') if fl.cmp(node, textwith) or not fl.cmp(node, without): error('filelog.cmp for a renaming + data starting with \\1\\n') if fl.size(1) != len(textwith): error('filelog.size for a renaming + data starting with \\1\\n') print 'OK.'