changeset 33639:08cfc4baf3ba stable

push: add tests for unsafe ssh url (SEC)
author Sean Farley <sean@farley.io>
date Mon, 31 Jul 2017 14:40:28 -0700
parents 92b583e3e522
children 55681baf4cf9
files tests/test-push.t
diffstat 1 files changed, 18 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/tests/test-push.t	Fri Jul 28 16:47:32 2017 -0700
+++ b/tests/test-push.t	Mon Jul 31 14:40:28 2017 -0700
@@ -297,3 +297,21 @@
   lock:  user *, process * (*s) (glob)
   wlock: user *, process * (*s) (glob)
 
+SEC: check for unsafe ssh url
+
+  $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path'
+  pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
+  abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
+  [255]
+  $ hg -R test-revflag push 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
+  pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
+  abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
+  [255]
+  $ hg -R test-revflag push 'ssh://fakehost|shellcommand/path'
+  pushing to ssh://fakehost%7Cshellcommand/path
+  abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+  [255]
+  $ hg -R test-revflag push 'ssh://fakehost%7Cshellcommand/path'
+  pushing to ssh://fakehost%7Cshellcommand/path
+  abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+  [255]