Mercurial > hg
view tests/test-archive.t @ 30766:d7bf7d2bd5ab
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Tue, 10 Jan 2017 23:37:08 -0800 |
parents | 4259df518223 |
children | b3d2e8cce78c |
line wrap: on
line source
#require serve $ hg init test $ cd test $ echo foo>foo $ hg commit -Am 1 -d '1 0' adding foo $ echo bar>bar $ hg commit -Am 2 -d '2 0' adding bar $ mkdir baz $ echo bletch>baz/bletch $ hg commit -Am 3 -d '1000000000 0' adding baz/bletch $ hg init subrepo $ touch subrepo/sub $ hg -q -R subrepo ci -Am "init subrepo" $ echo "subrepo = subrepo" > .hgsub $ hg add .hgsub $ hg ci -m "add subrepo" $ echo "[web]" >> .hg/hgrc $ echo "name = test-archive" >> .hg/hgrc $ echo "archivesubrepos = True" >> .hg/hgrc $ cp .hg/hgrc .hg/hgrc-base > test_archtype() { > echo "allow_archive = $1" >> .hg/hgrc > hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log > cat hg.pid >> $DAEMON_PIDS > echo % $1 allowed should give 200 > get-with-headers.py localhost:$HGPORT "archive/tip.$2" | head -n 1 > echo % $3 and $4 disallowed should both give 403 > get-with-headers.py localhost:$HGPORT "archive/tip.$3" | head -n 1 > get-with-headers.py localhost:$HGPORT "archive/tip.$4" | head -n 1 > killdaemons.py > cat errors.log > cp .hg/hgrc-base .hg/hgrc > } check http return codes $ test_archtype gz tar.gz tar.bz2 zip % gz allowed should give 200 200 Script output follows % tar.bz2 and zip disallowed should both give 403 403 Archive type not allowed: bz2 403 Archive type not allowed: zip $ test_archtype bz2 tar.bz2 zip tar.gz % bz2 allowed should give 200 200 Script output follows % zip and tar.gz disallowed should both give 403 403 Archive type not allowed: zip 403 Archive type not allowed: gz $ test_archtype zip zip tar.gz tar.bz2 % zip allowed should give 200 200 Script output follows % tar.gz and tar.bz2 disallowed should both give 403 403 Archive type not allowed: gz 403 Archive type not allowed: bz2 $ echo "allow_archive = gz bz2 zip" >> .hg/hgrc $ hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log $ cat hg.pid >> $DAEMON_PIDS check archive links' order $ get-with-headers.py localhost:$HGPORT "?revcount=1" | grep '/archive/tip.' <a href="/archive/tip.zip">zip</a> <a href="/archive/tip.tar.gz">gz</a> <a href="/archive/tip.tar.bz2">bz2</a> invalid arch type should give 404 $ get-with-headers.py localhost:$HGPORT "archive/tip.invalid" | head -n 1 404 Unsupported archive type: None $ TIP=`hg id -v | cut -f1 -d' '` $ QTIP=`hg id -q` $ cat > getarchive.py <<EOF > from __future__ import absolute_import > import os > import sys > from mercurial import ( > util, > ) > try: > # Set stdout to binary mode for win32 platforms > import msvcrt > msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY) > except ImportError: > pass > if len(sys.argv) <= 3: > node, archive = sys.argv[1:] > requeststr = 'cmd=archive;node=%s;type=%s' % (node, archive) > else: > node, archive, file = sys.argv[1:] > requeststr = 'cmd=archive;node=%s;type=%s;file=%s' % (node, archive, file) > try: > stdout = sys.stdout.buffer > except AttributeError: > stdout = sys.stdout > try: > f = util.urlreq.urlopen('http://127.0.0.1:%s/?%s' > % (os.environ['HGPORT'], requeststr)) > stdout.write(f.read()) > except util.urlerr.httperror as e: > sys.stderr.write(str(e) + '\n') > EOF $ python getarchive.py "$TIP" gz | gunzip | tar tf - 2>/dev/null test-archive-1701ef1f1510/.hg_archival.txt test-archive-1701ef1f1510/.hgsub test-archive-1701ef1f1510/.hgsubstate test-archive-1701ef1f1510/bar test-archive-1701ef1f1510/baz/bletch test-archive-1701ef1f1510/foo test-archive-1701ef1f1510/subrepo/sub $ python getarchive.py "$TIP" bz2 | bunzip2 | tar tf - 2>/dev/null test-archive-1701ef1f1510/.hg_archival.txt test-archive-1701ef1f1510/.hgsub test-archive-1701ef1f1510/.hgsubstate test-archive-1701ef1f1510/bar test-archive-1701ef1f1510/baz/bletch test-archive-1701ef1f1510/foo test-archive-1701ef1f1510/subrepo/sub $ python getarchive.py "$TIP" zip > archive.zip $ unzip -t archive.zip Archive: archive.zip testing: test-archive-1701ef1f1510/.hg_archival.txt*OK (glob) testing: test-archive-1701ef1f1510/.hgsub*OK (glob) testing: test-archive-1701ef1f1510/.hgsubstate*OK (glob) testing: test-archive-1701ef1f1510/bar*OK (glob) testing: test-archive-1701ef1f1510/baz/bletch*OK (glob) testing: test-archive-1701ef1f1510/foo*OK (glob) testing: test-archive-1701ef1f1510/subrepo/sub*OK (glob) No errors detected in compressed data of archive.zip. test that we can download single directories and files $ python getarchive.py "$TIP" gz baz | gunzip | tar tf - 2>/dev/null test-archive-1701ef1f1510/baz/bletch $ python getarchive.py "$TIP" gz foo | gunzip | tar tf - 2>/dev/null test-archive-1701ef1f1510/foo test that we detect file patterns that match no files $ python getarchive.py "$TIP" gz foobar HTTP Error 404: file(s) not found: foobar test that we reject unsafe patterns $ python getarchive.py "$TIP" gz relre:baz HTTP Error 404: file(s) not found: relre:baz $ killdaemons.py $ hg archive -t tar test.tar $ tar tf test.tar test/.hg_archival.txt test/.hgsub test/.hgsubstate test/bar test/baz/bletch test/foo $ hg archive --debug -t tbz2 -X baz test.tar.bz2 --config progress.debug=true archiving: 0/4 files (0.00%) archiving: .hgsub 1/4 files (25.00%) archiving: .hgsubstate 2/4 files (50.00%) archiving: bar 3/4 files (75.00%) archiving: foo 4/4 files (100.00%) $ bunzip2 -dc test.tar.bz2 | tar tf - 2>/dev/null test/.hg_archival.txt test/.hgsub test/.hgsubstate test/bar test/foo $ hg archive -t tgz -p %b-%h test-%h.tar.gz $ gzip -dc test-$QTIP.tar.gz | tar tf - 2>/dev/null test-1701ef1f1510/.hg_archival.txt test-1701ef1f1510/.hgsub test-1701ef1f1510/.hgsubstate test-1701ef1f1510/bar test-1701ef1f1510/baz/bletch test-1701ef1f1510/foo $ hg archive autodetected_test.tar $ tar tf autodetected_test.tar autodetected_test/.hg_archival.txt autodetected_test/.hgsub autodetected_test/.hgsubstate autodetected_test/bar autodetected_test/baz/bletch autodetected_test/foo The '-t' should override autodetection $ hg archive -t tar autodetect_override_test.zip $ tar tf autodetect_override_test.zip autodetect_override_test.zip/.hg_archival.txt autodetect_override_test.zip/.hgsub autodetect_override_test.zip/.hgsubstate autodetect_override_test.zip/bar autodetect_override_test.zip/baz/bletch autodetect_override_test.zip/foo $ for ext in tar tar.gz tgz tar.bz2 tbz2 zip; do > hg archive auto_test.$ext > if [ -d auto_test.$ext ]; then > echo "extension $ext was not autodetected." > fi > done $ cat > md5comp.py <<EOF > from __future__ import print_function > try: > from hashlib import md5 > except ImportError: > from md5 import md5 > import sys > f1, f2 = sys.argv[1:3] > h1 = md5(open(f1, 'rb').read()).hexdigest() > h2 = md5(open(f2, 'rb').read()).hexdigest() > print(h1 == h2 or "md5 differ: " + repr((h1, h2))) > EOF archive name is stored in the archive, so create similar archives and rename them afterwards. $ hg archive -t tgz tip.tar.gz $ mv tip.tar.gz tip1.tar.gz $ sleep 1 $ hg archive -t tgz tip.tar.gz $ mv tip.tar.gz tip2.tar.gz $ python md5comp.py tip1.tar.gz tip2.tar.gz True $ hg archive -t zip -p /illegal test.zip abort: archive prefix contains illegal components [255] $ hg archive -t zip -p very/../bad test.zip $ hg archive --config ui.archivemeta=false -t zip -r 2 test.zip $ unzip -t test.zip Archive: test.zip testing: test/bar*OK (glob) testing: test/baz/bletch*OK (glob) testing: test/foo*OK (glob) No errors detected in compressed data of test.zip. $ hg archive -t tar - | tar tf - 2>/dev/null test-1701ef1f1510/.hg_archival.txt test-1701ef1f1510/.hgsub test-1701ef1f1510/.hgsubstate test-1701ef1f1510/bar test-1701ef1f1510/baz/bletch test-1701ef1f1510/foo $ hg archive -r 0 -t tar rev-%r.tar $ [ -f rev-0.tar ] test .hg_archival.txt $ hg archive ../test-tags $ cat ../test-tags/.hg_archival.txt repo: daa7f7c60e0a224faa4ff77ca41b2760562af264 node: 1701ef1f151069b8747038e93b5186bb43a47504 branch: default latesttag: null latesttagdistance: 4 changessincelatesttag: 4 $ hg tag -r 2 mytag $ hg tag -r 2 anothertag $ hg archive -r 2 ../test-lasttag $ cat ../test-lasttag/.hg_archival.txt repo: daa7f7c60e0a224faa4ff77ca41b2760562af264 node: 2c0277f05ed49d1c8328fb9ba92fba7a5ebcb33e branch: default tag: anothertag tag: mytag $ hg archive -t bogus test.bogus abort: unknown archive type 'bogus' [255] enable progress extension: $ cp $HGRCPATH $HGRCPATH.no-progress $ cat >> $HGRCPATH <<EOF > [progress] > assume-tty = 1 > format = topic bar number > delay = 0 > refresh = 0 > width = 60 > EOF $ hg archive ../with-progress \r (no-eol) (esc) archiving [ ] 0/6\r (no-eol) (esc) archiving [======> ] 1/6\r (no-eol) (esc) archiving [=============> ] 2/6\r (no-eol) (esc) archiving [====================> ] 3/6\r (no-eol) (esc) archiving [===========================> ] 4/6\r (no-eol) (esc) archiving [==================================> ] 5/6\r (no-eol) (esc) archiving [==========================================>] 6/6\r (no-eol) (esc) \r (no-eol) (esc) cleanup after progress extension test: $ cp $HGRCPATH.no-progress $HGRCPATH server errors $ cat errors.log empty repo $ hg init ../empty $ cd ../empty $ hg archive ../test-empty abort: no working directory: please specify a revision [255] old file -- date clamped to 1980 $ touch -t 197501010000 old $ hg add old $ hg commit -m old $ hg archive ../old.zip $ unzip -l ../old.zip Archive: ../old.zip \s*Length.* (re) *-----* (glob) *172*80*00:00*old/.hg_archival.txt (glob) *0*80*00:00*old/old (glob) *-----* (glob) \s*172\s+2 files (re) show an error when a provided pattern matches no files $ hg archive -I file_that_does_not_exist.foo ../empty.zip abort: no files match the archive pattern [255] $ hg archive -X * ../empty.zip abort: no files match the archive pattern [255] $ cd .. issue3600: check whether "hg archive" can create archive files which are extracted with expected timestamp, even though TZ is not configured as GMT. $ mkdir issue3600 $ cd issue3600 $ hg init repo $ echo a > repo/a $ hg -R repo add repo/a $ hg -R repo commit -m '#0' -d '456789012 21600' $ cat > show_mtime.py <<EOF > from __future__ import print_function > import sys, os > print(int(os.stat(sys.argv[1]).st_mtime)) > EOF $ hg -R repo archive --prefix tar-extracted archive.tar $ (TZ=UTC-3; export TZ; tar xf archive.tar) $ python show_mtime.py tar-extracted/a 456789012 $ hg -R repo archive --prefix zip-extracted archive.zip $ (TZ=UTC-3; export TZ; unzip -q archive.zip) $ python show_mtime.py zip-extracted/a 456789012 $ cd ..