Mercurial > hg-git
annotate tests/test-illegal-contents.t @ 1144:c9ba526e82d6 default tip master
Added signature for changeset c651bb6fcf33
author | Kevin Bullock <kbullock@ringworld.org> |
---|---|
date | Sun, 14 Oct 2018 21:43:45 -0500 |
parents | be0d1413a06f |
children |
rev | line source |
---|---|
850
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
1 Check for contents we should refuse to export to git repositories (or |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
2 at least warn). |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
3 |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
4 Load commonly used test logic |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
5 $ . "$TESTDIR/testutil" |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
6 |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
7 $ hg init hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
8 $ cd hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
9 $ mkdir -p .git/hooks |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
10 $ cat > .git/hooks/post-update <<EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
11 > #!/bin/sh |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
12 > echo pwned |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
13 > EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
14 |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
15 $ hg addremove |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
16 adding .git/hooks/post-update |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
17 $ hg ci -m "we should refuse to export this" |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
18 $ hg book master |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
19 $ hg gexport |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
20 abort: Refusing to export likely-dangerous path '.git/hooks/post-update' |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
21 (If you need to continue, read about CVE-2014-9390 and then set '[git] blockdotgit = false' in your hgrc.) |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
22 [255] |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
23 $ cd .. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
24 |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
25 $ rm -rf hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
26 $ hg init hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
27 $ cd hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
28 $ mkdir -p nested/.git/hooks/ |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
29 $ cat > nested/.git/hooks/post-update <<EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
30 > #!/bin/sh |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
31 > echo pwnd |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
32 > EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
33 $ chmod +x nested/.git/hooks/post-update |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
34 $ hg addremove |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
35 adding nested/.git/hooks/post-update |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
36 $ hg ci -m "also refuse to export this" |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
37 $ hg book master |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
38 $ hg gexport |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
39 abort: Refusing to export likely-dangerous path 'nested/.git/hooks/post-update' |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
40 (If you need to continue, read about CVE-2014-9390 and then set '[git] blockdotgit = false' in your hgrc.) |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
41 [255] |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
42 We can override if needed: |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
43 $ hg --config git.blockdotgit=false gexport |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
44 warning: path 'nested/.git/hooks/post-update' contains a potentially dangerous path component. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
45 It may not be legal to check out in Git. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
46 It may also be rejected by some git server configurations. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
47 $ cd .. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
48 $ git clone hg/.hg/git git |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
49 Cloning into 'git'... |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
50 done. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
51 error: Invalid path 'nested/.git/hooks/post-update' |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
52 |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
53 Now check something that case-folds to .git, which might let you own |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
54 Mac users: |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
55 |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
56 $ cd .. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
57 $ rm -rf hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
58 $ hg init hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
59 $ cd hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
60 $ mkdir -p .GIT/hooks/ |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
61 $ cat > .GIT/hooks/post-checkout <<EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
62 > #!/bin/sh |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
63 > echo pwnd |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
64 > EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
65 $ chmod +x .GIT/hooks/post-checkout |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
66 $ hg addremove |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
67 adding .GIT/hooks/post-checkout |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
68 $ hg ci -m "also refuse to export this" |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
69 $ hg book master |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
70 $ hg gexport |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
71 $ cd .. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
72 |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
73 And the NTFS case: |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
74 $ cd .. |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
75 $ rm -rf hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
76 $ hg init hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
77 $ cd hg |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
78 $ mkdir -p GIT~1/hooks/ |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
79 $ cat > GIT~1/hooks/post-checkout <<EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
80 > #!/bin/sh |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
81 > echo pwnd |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
82 > EOF |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
83 $ chmod +x GIT~1/hooks/post-checkout |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
84 $ hg addremove |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
85 adding GIT~1/hooks/post-checkout |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
86 $ hg ci -m "also refuse to export this" |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
87 $ hg book master |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
88 $ hg gexport |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
89 abort: Refusing to export likely-dangerous path 'GIT~1/hooks/post-checkout' |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
90 (If you need to continue, read about CVE-2014-9390 and then set '[git] blockdotgit = false' in your hgrc.) |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
91 [255] |
81c55f8629ba
hg2git: audit path components during export (CVE-2014-9390)
Augie Fackler <raf@durin42.com>
parents:
diff
changeset
|
92 $ cd .. |
987
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
93 |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
94 Now check a Git repository containing a Mercurial repository, which |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
95 you can't check out. |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
96 |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
97 $ rm -rf hg git nested |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
98 $ git init -q git |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
99 $ hg init nested |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
100 $ mv nested git |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
101 $ cd git |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
102 $ git add nested |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
103 $ fn_git_commit -m 'add a Mercurial repository' |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
104 $ cd .. |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
105 $ hg clone git hg |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
106 importing git objects into hg |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
107 abort: Refusing to import problematic path 'nested/.hg/00changelog.i' |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
108 (Mercurial cannot check out paths inside nested repositories; if you need to continue, then set '[git] blockdothg = false' in your hgrc.) |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
109 [255] |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
110 $ hg clone --config git.blockdothg=false git hg |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
111 importing git objects into hg |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
112 warning: path 'nested/.hg/00changelog.i' is within a nested repository, which Mercurial cannot check out. |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
113 warning: path 'nested/.hg/requires' is within a nested repository, which Mercurial cannot check out. |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
114 updating to branch default |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
115 abort: path 'nested/.hg/00changelog.i' is inside nested repo 'nested' |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
116 [255] |
be0d1413a06f
git_handler: detect and reject nested Mercurial repositories
Dan Villiom Podlaski Christiansen <danchr@gmail.com>
parents:
850
diff
changeset
|
117 $ cd .. |