changeset 33654:0ee42a0df5be stable

pull: add tests for unsafe ssh url (SEC)
author Sean Farley <sean@farley.io>
date Fri, 28 Jul 2017 16:47:32 -0700
parents 0bcceb58b036
children 48d520fdf880
files tests/test-pull.t
diffstat 1 files changed, 19 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/tests/test-pull.t	Fri Jul 28 16:36:36 2017 -0700
+++ b/tests/test-pull.t	Fri Jul 28 16:47:32 2017 -0700
@@ -105,4 +105,23 @@
   $ URL=`$PYTHON -c "import os; print 'file://localhost' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"`
   $ hg pull -q "$URL"
 
+SEC: check for unsafe ssh url
+
+  $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path'
+  pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
+  abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
+  [255]
+  $ hg pull 'ssh://%2DoProxyCommand=touch${IFS}owned/path'
+  pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path
+  abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path'
+  [255]
+  $ hg pull 'ssh://fakehost|shellcommand/path'
+  pulling from ssh://fakehost%7Cshellcommand/path
+  abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+  [255]
+  $ hg pull 'ssh://fakehost%7Cshellcommand/path'
+  pulling from ssh://fakehost%7Cshellcommand/path
+  abort: potentially unsafe url: 'ssh://fakehost|shellcommand/path'
+  [255]
+
   $ cd ..