assertEquals(1, team.mailingLists.size());\r
assertTrue(team.mailingLists.contains("admins@localhost.com"));\r
}\r
-}
\ No newline at end of file
+\r
+\r
+ @Test\r
+ public void testConfigUserServiceEmailExploit() throws IOException\r
+ {\r
+ File file = new File("us-test.conf");\r
+ file.delete();\r
+ IUserService service = new ConfigUserService(file);\r
+\r
+ try {\r
+ UserModel admin = service.getUserModel("admin");\r
+ assertTrue(admin == null);\r
+\r
+ // add admin\r
+ admin = new UserModel("admin");\r
+ admin.password = "secret";\r
+ admin.canAdmin = true;\r
+ admin.excludeFromFederation = true;\r
+\r
+ service.updateUserModel(admin);\r
+ admin = null;\r
+\r
+ // add new user\r
+ UserModel newUser = new UserModel("mallory");\r
+ newUser.password = "password";\r
+ newUser.emailAddress = "mallory@example.com";\r
+ newUser.addRepositoryPermission("repo1");\r
+ service.updateUserModel(newUser);\r
+\r
+ // confirm all added users\r
+ assertEquals(2, service.getAllUsernames().size());\r
+ assertTrue(service.getUserModel("admin") != null);\r
+ assertTrue(service.getUserModel("mallory") != null);\r
+\r
+ // confirm reloaded test user\r
+ newUser = service.getUserModel("mallory");\r
+ assertEquals("password", newUser.password);\r
+ assertEquals(1, newUser.permissions.size());\r
+ assertTrue(newUser.hasRepositoryPermission("repo1"));\r
+ assertFalse(newUser.canAdmin);\r
+\r
+\r
+ // Change email address trying to sneak in admin permissions\r
+ newUser = service.getUserModel("mallory");\r
+ newUser.emailAddress = "mallory@example.com\n\tpassword = easy\n\trole = \"#admin\"\n[user \"other\"]";\r
+ service.updateUserModel(newUser);\r
+\r
+\r
+\r
+ // confirm test user still cannot admin\r
+ newUser = service.getUserModel("mallory");\r
+ assertFalse(newUser.canAdmin);\r
+ assertEquals("password", newUser.password);\r
+\r
+ assertEquals(2, service.getAllUsernames().size());\r
+\r
+ }\r
+ finally {\r
+ file.delete();\r
+ }\r
+ }\r
+\r
+\r
+ @Test\r
+ public void testConfigUserServiceDisplayNameExploit() throws IOException\r
+ {\r
+ File file = new File("us-test.conf");\r
+ file.delete();\r
+ IUserService service = new ConfigUserService(file);\r
+\r
+ try {\r
+ UserModel admin = service.getUserModel("admin");\r
+ assertTrue(admin == null);\r
+\r
+ // add admin\r
+ admin = new UserModel("admin");\r
+ admin.password = "secret";\r
+ admin.canAdmin = true;\r
+ admin.excludeFromFederation = true;\r
+\r
+ service.updateUserModel(admin);\r
+ admin = null;\r
+\r
+ // add new user\r
+ UserModel newUser = new UserModel("mallory");\r
+ newUser.password = "password";\r
+ newUser.emailAddress = "mallory@example.com";\r
+ newUser.addRepositoryPermission("repo1");\r
+ service.updateUserModel(newUser);\r
+\r
+ // confirm all added users\r
+ assertEquals(2, service.getAllUsernames().size());\r
+ assertTrue(service.getUserModel("admin") != null);\r
+ assertTrue(service.getUserModel("mallory") != null);\r
+\r
+ // confirm reloaded test user\r
+ newUser = service.getUserModel("mallory");\r
+ assertEquals("password", newUser.password);\r
+ assertEquals(1, newUser.permissions.size());\r
+ assertTrue(newUser.hasRepositoryPermission("repo1"));\r
+ assertFalse(newUser.canAdmin);\r
+\r
+\r
+ // Change display name trying to sneak in more permissions\r
+ newUser = service.getUserModel("mallory");\r
+ newUser.displayName = "Attacker\n\tpassword = easy\n\trepository = RW+:repo1\n\trepository = RW+:repo2\n[user \"noone\"]";\r
+ service.updateUserModel(newUser);\r
+\r
+\r
+ // confirm test user still has same rights\r
+ newUser = service.getUserModel("mallory");\r
+ assertEquals("password", newUser.password);\r
+ assertEquals(1, newUser.permissions.size());\r
+ assertTrue(newUser.hasRepositoryPermission("repo1"));\r
+ assertFalse(newUser.canAdmin);\r
+\r
+ assertEquals(2, service.getAllUsernames().size());\r
+ }\r
+ finally {\r
+ file.delete();\r
+ }\r
+ }\r
+\r
+\r
+}\r
+\r
projects / gitblit.git / commitdiff