Mercurial > hg
changeset 33639:08cfc4baf3ba stable
push: add tests for unsafe ssh url (SEC)
| author | Sean Farley <sean@farley.io> |
|---|---|
| date | Mon, 31 Jul 2017 14:40:28 -0700 |
| parents | 92b583e3e522 |
| children | 55681baf4cf9 |
| files | tests/test-push.t |
| diffstat | 1 files changed, 18 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/tests/test-push.t Fri Jul 28 16:47:32 2017 -0700 +++ b/tests/test-push.t Mon Jul 31 14:40:28 2017 -0700 @@ -297,3 +297,21 @@ lock: user *, process * (*s) (glob) wlock: user *, process * (*s) (glob) +SEC: check for unsafe ssh url + + $ hg -R test-revflag push 'ssh://-oProxyCommand=touch${IFS}owned/path' + pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path + abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' + [255] + $ hg -R test-revflag push 'ssh://%2DoProxyCommand=touch${IFS}owned/path' + pushing to ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path + abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' + [255] + $ hg -R test-revflag push 'ssh://fakehost|shellcommand/path' + pushing to ssh://fakehost%7Cshellcommand/path + abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path' + [255] + $ hg -R test-revflag push 'ssh://fakehost%7Cshellcommand/path' + pushing to ssh://fakehost%7Cshellcommand/path + abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path' + [255]