From: Florian Zschocke Date: Sat, 12 Mar 2022 19:59:27 +0000 (+0100) Subject: test: Add exploit test for config user service X-Git-Tag: v1.9.3~6^2~2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=1c4fbc07c2f1898bf24e1d0076f01faa0c824b84;p=gitblit.git test: Add exploit test for config user service Add unit tests for exploiting the email address or display name in the config user service by using newlines in the values. --- diff --git a/src/test/java/com/gitblit/tests/UserServiceTest.java b/src/test/java/com/gitblit/tests/UserServiceTest.java index cdb0a330..6d1348a2 100644 --- a/src/test/java/com/gitblit/tests/UserServiceTest.java +++ b/src/test/java/com/gitblit/tests/UserServiceTest.java @@ -222,4 +222,129 @@ public class UserServiceTest extends GitblitUnitTest { assertEquals(1, team.mailingLists.size()); assertTrue(team.mailingLists.contains("admins@localhost.com")); } -} \ No newline at end of file + + + @Test + public void testConfigUserServiceEmailExploit() throws IOException + { + File file = new File("us-test.conf"); + file.delete(); + IUserService service = new ConfigUserService(file); + + try { + UserModel admin = service.getUserModel("admin"); + assertTrue(admin == null); + + // add admin + admin = new UserModel("admin"); + admin.password = "secret"; + admin.canAdmin = true; + admin.excludeFromFederation = true; + + service.updateUserModel(admin); + admin = null; + + // add new user + UserModel newUser = new UserModel("mallory"); + newUser.password = "password"; + newUser.emailAddress = "mallory@example.com"; + newUser.addRepositoryPermission("repo1"); + service.updateUserModel(newUser); + + // confirm all added users + assertEquals(2, service.getAllUsernames().size()); + assertTrue(service.getUserModel("admin") != null); + assertTrue(service.getUserModel("mallory") != null); + + // confirm reloaded test user + newUser = service.getUserModel("mallory"); + assertEquals("password", newUser.password); + assertEquals(1, newUser.permissions.size()); + assertTrue(newUser.hasRepositoryPermission("repo1")); + assertFalse(newUser.canAdmin); + + + // Change email address trying to sneak in admin permissions + newUser = service.getUserModel("mallory"); + newUser.emailAddress = "mallory@example.com\n\tpassword = easy\n\trole = \"#admin\"\n[user \"other\"]"; + service.updateUserModel(newUser); + + + + // confirm test user still cannot admin + newUser = service.getUserModel("mallory"); + assertFalse(newUser.canAdmin); + assertEquals("password", newUser.password); + + assertEquals(2, service.getAllUsernames().size()); + + } + finally { + file.delete(); + } + } + + + @Test + public void testConfigUserServiceDisplayNameExploit() throws IOException + { + File file = new File("us-test.conf"); + file.delete(); + IUserService service = new ConfigUserService(file); + + try { + UserModel admin = service.getUserModel("admin"); + assertTrue(admin == null); + + // add admin + admin = new UserModel("admin"); + admin.password = "secret"; + admin.canAdmin = true; + admin.excludeFromFederation = true; + + service.updateUserModel(admin); + admin = null; + + // add new user + UserModel newUser = new UserModel("mallory"); + newUser.password = "password"; + newUser.emailAddress = "mallory@example.com"; + newUser.addRepositoryPermission("repo1"); + service.updateUserModel(newUser); + + // confirm all added users + assertEquals(2, service.getAllUsernames().size()); + assertTrue(service.getUserModel("admin") != null); + assertTrue(service.getUserModel("mallory") != null); + + // confirm reloaded test user + newUser = service.getUserModel("mallory"); + assertEquals("password", newUser.password); + assertEquals(1, newUser.permissions.size()); + assertTrue(newUser.hasRepositoryPermission("repo1")); + assertFalse(newUser.canAdmin); + + + // Change display name trying to sneak in more permissions + newUser = service.getUserModel("mallory"); + newUser.displayName = "Attacker\n\tpassword = easy\n\trepository = RW+:repo1\n\trepository = RW+:repo2\n[user \"noone\"]"; + service.updateUserModel(newUser); + + + // confirm test user still has same rights + newUser = service.getUserModel("mallory"); + assertEquals("password", newUser.password); + assertEquals(1, newUser.permissions.size()); + assertTrue(newUser.hasRepositoryPermission("repo1")); + assertFalse(newUser.canAdmin); + + assertEquals(2, service.getAllUsernames().size()); + } + finally { + file.delete(); + } + } + + +} +