subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
--- a/tests/test-subrepo.t Mon Jul 31 14:40:28 2017 -0700
+++ b/tests/test-subrepo.t Mon Jul 31 16:04:44 2017 -0700
@@ -1777,3 +1777,70 @@
+bar
$ cd ..
+
+test for ssh exploit 2017-07-25
+
+ $ hg init malicious-proxycommand
+ $ cd malicious-proxycommand
+ $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
+ $ hg init s
+ $ cd s
+ $ echo init > init
+ $ hg add
+ adding init
+ $ hg commit -m init
+ $ cd ..
+ $ hg add .hgsub
+ $ hg ci -m 'add subrepo'
+ $ cd ..
+ $ hg clone malicious-proxycommand malicious-proxycommand-clone
+ updating to branch default
+ abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' (in subrepo s)
+ [255]
+
+also check that a percent encoded '-' (%2D) doesn't work
+
+ $ cd malicious-proxycommand
+ $ echo 's = [hg]ssh://%2DoProxyCommand=touch${IFS}owned/path' > .hgsub
+ $ hg ci -m 'change url to percent encoded'
+ $ cd ..
+ $ rm -r malicious-proxycommand-clone
+ $ hg clone malicious-proxycommand malicious-proxycommand-clone
+ updating to branch default
+ abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' (in subrepo s)
+ [255]
+
+also check for a pipe
+
+ $ cd malicious-proxycommand
+ $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub
+ $ hg ci -m 'change url to pipe'
+ $ cd ..
+ $ rm -r malicious-proxycommand-clone
+ $ hg clone malicious-proxycommand malicious-proxycommand-clone
+ updating to branch default
+ abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
+ [255]
+
+also check that a percent encoded '|' (%7C) doesn't work
+
+ $ cd malicious-proxycommand
+ $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub
+ $ hg ci -m 'change url to percent encoded pipe'
+ $ cd ..
+ $ rm -r malicious-proxycommand-clone
+ $ hg clone malicious-proxycommand malicious-proxycommand-clone
+ updating to branch default
+ abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s)
+ [255]
+
+and bad usernames:
+ $ cd malicious-proxycommand
+ $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub
+ $ hg ci -m 'owned username'
+ $ cd ..
+ $ rm -r malicious-proxycommand-clone
+ $ hg clone malicious-proxycommand malicious-proxycommand-clone
+ updating to branch default
+ abort: potentially unsafe url: 'ssh://-oProxyCommand=touch owned@example.com/path' (in subrepo s)
+ [255]