diff options
author | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-03-12 20:59:27 +0100 |
---|---|---|
committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-03-12 20:59:27 +0100 |
commit | 1c4fbc07c2f1898bf24e1d0076f01faa0c824b84 (patch) | |
tree | 61cce18e5ee86380100cd92c03380140cf3c0a2c | |
parent | 456813cc7ed02159016b61743bcbce95da0ff27d (diff) | |
download | gitblit-1c4fbc07c2f1898bf24e1d0076f01faa0c824b84.tar.gz gitblit-1c4fbc07c2f1898bf24e1d0076f01faa0c824b84.zip |
test: Add exploit test for config user service
Add unit tests for exploiting the email address or display name
in the config user service by using newlines in the values.
-rw-r--r-- | src/test/java/com/gitblit/tests/UserServiceTest.java | 127 |
1 files changed, 126 insertions, 1 deletions
diff --git a/src/test/java/com/gitblit/tests/UserServiceTest.java b/src/test/java/com/gitblit/tests/UserServiceTest.java index cdb0a330..6d1348a2 100644 --- a/src/test/java/com/gitblit/tests/UserServiceTest.java +++ b/src/test/java/com/gitblit/tests/UserServiceTest.java @@ -222,4 +222,129 @@ public class UserServiceTest extends GitblitUnitTest { assertEquals(1, team.mailingLists.size());
assertTrue(team.mailingLists.contains("admins@localhost.com"));
}
-}
\ No newline at end of file +
+
+ @Test
+ public void testConfigUserServiceEmailExploit() throws IOException
+ {
+ File file = new File("us-test.conf");
+ file.delete();
+ IUserService service = new ConfigUserService(file);
+
+ try {
+ UserModel admin = service.getUserModel("admin");
+ assertTrue(admin == null);
+
+ // add admin
+ admin = new UserModel("admin");
+ admin.password = "secret";
+ admin.canAdmin = true;
+ admin.excludeFromFederation = true;
+
+ service.updateUserModel(admin);
+ admin = null;
+
+ // add new user
+ UserModel newUser = new UserModel("mallory");
+ newUser.password = "password";
+ newUser.emailAddress = "mallory@example.com";
+ newUser.addRepositoryPermission("repo1");
+ service.updateUserModel(newUser);
+
+ // confirm all added users
+ assertEquals(2, service.getAllUsernames().size());
+ assertTrue(service.getUserModel("admin") != null);
+ assertTrue(service.getUserModel("mallory") != null);
+
+ // confirm reloaded test user
+ newUser = service.getUserModel("mallory");
+ assertEquals("password", newUser.password);
+ assertEquals(1, newUser.permissions.size());
+ assertTrue(newUser.hasRepositoryPermission("repo1"));
+ assertFalse(newUser.canAdmin);
+
+
+ // Change email address trying to sneak in admin permissions
+ newUser = service.getUserModel("mallory");
+ newUser.emailAddress = "mallory@example.com\n\tpassword = easy\n\trole = \"#admin\"\n[user \"other\"]";
+ service.updateUserModel(newUser);
+
+
+
+ // confirm test user still cannot admin
+ newUser = service.getUserModel("mallory");
+ assertFalse(newUser.canAdmin);
+ assertEquals("password", newUser.password);
+
+ assertEquals(2, service.getAllUsernames().size());
+
+ }
+ finally {
+ file.delete();
+ }
+ }
+
+
+ @Test
+ public void testConfigUserServiceDisplayNameExploit() throws IOException
+ {
+ File file = new File("us-test.conf");
+ file.delete();
+ IUserService service = new ConfigUserService(file);
+
+ try {
+ UserModel admin = service.getUserModel("admin");
+ assertTrue(admin == null);
+
+ // add admin
+ admin = new UserModel("admin");
+ admin.password = "secret";
+ admin.canAdmin = true;
+ admin.excludeFromFederation = true;
+
+ service.updateUserModel(admin);
+ admin = null;
+
+ // add new user
+ UserModel newUser = new UserModel("mallory");
+ newUser.password = "password";
+ newUser.emailAddress = "mallory@example.com";
+ newUser.addRepositoryPermission("repo1");
+ service.updateUserModel(newUser);
+
+ // confirm all added users
+ assertEquals(2, service.getAllUsernames().size());
+ assertTrue(service.getUserModel("admin") != null);
+ assertTrue(service.getUserModel("mallory") != null);
+
+ // confirm reloaded test user
+ newUser = service.getUserModel("mallory");
+ assertEquals("password", newUser.password);
+ assertEquals(1, newUser.permissions.size());
+ assertTrue(newUser.hasRepositoryPermission("repo1"));
+ assertFalse(newUser.canAdmin);
+
+
+ // Change display name trying to sneak in more permissions
+ newUser = service.getUserModel("mallory");
+ newUser.displayName = "Attacker\n\tpassword = easy\n\trepository = RW+:repo1\n\trepository = RW+:repo2\n[user \"noone\"]";
+ service.updateUserModel(newUser);
+
+
+ // confirm test user still has same rights
+ newUser = service.getUserModel("mallory");
+ assertEquals("password", newUser.password);
+ assertEquals(1, newUser.permissions.size());
+ assertTrue(newUser.hasRepositoryPermission("repo1"));
+ assertFalse(newUser.canAdmin);
+
+ assertEquals(2, service.getAllUsernames().size());
+ }
+ finally {
+ file.delete();
+ }
+ }
+
+
+}
+
|