637 $ mkdir s/.svn/.hg |
637 $ mkdir s/.svn/.hg |
638 $ echo '.hg/hgrc in svn metadata area' > s/.svn/.hg/hgrc |
638 $ echo '.hg/hgrc in svn metadata area' > s/.svn/.hg/hgrc |
639 $ hg update -q -C '.^1' |
639 $ hg update -q -C '.^1' |
640 |
640 |
641 $ cd ../.. |
641 $ cd ../.. |
|
642 |
|
643 SEC: test for ssh exploit |
|
644 |
|
645 $ hg init ssh-vuln |
|
646 $ cd ssh-vuln |
|
647 $ echo "s = [svn]$SVNREPOURL/src" >> .hgsub |
|
648 $ svn co --quiet "$SVNREPOURL"/src s |
|
649 $ hg add .hgsub |
|
650 $ hg ci -m1 |
|
651 $ echo "s = [svn]svn+ssh://-oProxyCommand=touch%20owned%20nested" > .hgsub |
|
652 $ hg ci -m2 |
|
653 $ cd .. |
|
654 $ hg clone ssh-vuln ssh-vuln-clone |
|
655 updating to branch default |
|
656 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s) |
|
657 [255] |
|
658 |
|
659 also check that a percent encoded '-' (%2D) doesn't work |
|
660 |
|
661 $ cd ssh-vuln |
|
662 $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20nested" > .hgsub |
|
663 $ hg ci -m3 |
|
664 $ cd .. |
|
665 $ rm -r ssh-vuln-clone |
|
666 $ hg clone ssh-vuln ssh-vuln-clone |
|
667 updating to branch default |
|
668 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned nested' (in subrepo s) |
|
669 [255] |
|
670 |
|
671 also check for a pipe |
|
672 |
|
673 $ cd ssh-vuln |
|
674 $ echo "s = [svn]svn+ssh://fakehost|sh%20nested" > .hgsub |
|
675 $ hg ci -m3 |
|
676 $ cd .. |
|
677 $ rm -r ssh-vuln-clone |
|
678 $ hg clone ssh-vuln ssh-vuln-clone |
|
679 updating to branch default |
|
680 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s) |
|
681 [255] |
|
682 |
|
683 also check that a percent encoded '|' (%7C) doesn't work |
|
684 |
|
685 $ cd ssh-vuln |
|
686 $ echo "s = [svn]svn+ssh://fakehost%7Csh%20nested" > .hgsub |
|
687 $ hg ci -m3 |
|
688 $ cd .. |
|
689 $ rm -r ssh-vuln-clone |
|
690 $ hg clone ssh-vuln ssh-vuln-clone |
|
691 updating to branch default |
|
692 abort: potentially unsafe url: 'svn+ssh://fakehost|sh nested' (in subrepo s) |
|
693 [255] |
|
694 |
|
695 also check that hiding the attack in the username doesn't work: |
|
696 |
|
697 $ cd ssh-vuln |
|
698 $ echo "s = [svn]svn+ssh://%2DoProxyCommand=touch%20owned%20foo@example.com/nested" > .hgsub |
|
699 $ hg ci -m3 |
|
700 $ cd .. |
|
701 $ rm -r ssh-vuln-clone |
|
702 $ hg clone ssh-vuln ssh-vuln-clone |
|
703 updating to branch default |
|
704 abort: potentially unsafe url: 'svn+ssh://-oProxyCommand=touch owned foo@example.com/nested' (in subrepo s) |
|
705 [255] |