Mercurial > hg
view tests/test-walkrepo.py @ 28663:ae279d4a19e9 stable 3.7.3
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
author | Mateusz Kwapich <mitrandir@fb.com> |
---|---|
date | Tue, 22 Mar 2016 17:27:27 -0700 |
parents | a8b2bf520a2a |
children | a4803f35efba |
line wrap: on
line source
from __future__ import absolute_import import os from mercurial import ( hg, scmutil, ui, util, ) chdir = os.chdir mkdir = os.mkdir pjoin = os.path.join walkrepos = scmutil.walkrepos checklink = util.checklink u = ui.ui() sym = checklink('.') hg.repository(u, 'top1', create=1) mkdir('subdir') chdir('subdir') hg.repository(u, 'sub1', create=1) mkdir('subsubdir') chdir('subsubdir') hg.repository(u, 'subsub1', create=1) chdir(os.path.pardir) if sym: os.symlink(os.path.pardir, 'circle') os.symlink(pjoin('subsubdir', 'subsub1'), 'subsub1') def runtest(): reposet = frozenset(walkrepos('.', followsym=True)) if sym and (len(reposet) != 3): print "reposet = %r" % (reposet,) print ("Found %d repositories when I should have found 3" % (len(reposet),)) if (not sym) and (len(reposet) != 2): print "reposet = %r" % (reposet,) print ("Found %d repositories when I should have found 2" % (len(reposet),)) sub1set = frozenset((pjoin('.', 'sub1'), pjoin('.', 'circle', 'subdir', 'sub1'))) if len(sub1set & reposet) != 1: print "sub1set = %r" % (sub1set,) print "reposet = %r" % (reposet,) print "sub1set and reposet should have exactly one path in common." sub2set = frozenset((pjoin('.', 'subsub1'), pjoin('.', 'subsubdir', 'subsub1'))) if len(sub2set & reposet) != 1: print "sub2set = %r" % (sub2set,) print "reposet = %r" % (reposet,) print "sub2set and reposet should have exactly one path in common." sub3 = pjoin('.', 'circle', 'top1') if sym and sub3 not in reposet: print "reposet = %r" % (reposet,) print "Symbolic links are supported and %s is not in reposet" % (sub3,) runtest() if sym: # Simulate not having symlinks. del os.path.samestat sym = False runtest()