summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Zschocke <f.zschocke+git@gmail.com>2022-03-12 20:59:27 +0100
committerFlorian Zschocke <f.zschocke+git@gmail.com>2022-03-12 20:59:27 +0100
commit1c4fbc07c2f1898bf24e1d0076f01faa0c824b84 (patch)
tree61cce18e5ee86380100cd92c03380140cf3c0a2c
parent456813cc7ed02159016b61743bcbce95da0ff27d (diff)
downloadgitblit-1c4fbc07c2f1898bf24e1d0076f01faa0c824b84.tar.gz
gitblit-1c4fbc07c2f1898bf24e1d0076f01faa0c824b84.zip
test: Add exploit test for config user service
Add unit tests for exploiting the email address or display name in the config user service by using newlines in the values.
-rw-r--r--src/test/java/com/gitblit/tests/UserServiceTest.java127
1 files changed, 126 insertions, 1 deletions
diff --git a/src/test/java/com/gitblit/tests/UserServiceTest.java b/src/test/java/com/gitblit/tests/UserServiceTest.java
index cdb0a330..6d1348a2 100644
--- a/src/test/java/com/gitblit/tests/UserServiceTest.java
+++ b/src/test/java/com/gitblit/tests/UserServiceTest.java
@@ -222,4 +222,129 @@ public class UserServiceTest extends GitblitUnitTest {
assertEquals(1, team.mailingLists.size());
assertTrue(team.mailingLists.contains("admins@localhost.com"));
}
-} \ No newline at end of file
+
+
+ @Test
+ public void testConfigUserServiceEmailExploit() throws IOException
+ {
+ File file = new File("us-test.conf");
+ file.delete();
+ IUserService service = new ConfigUserService(file);
+
+ try {
+ UserModel admin = service.getUserModel("admin");
+ assertTrue(admin == null);
+
+ // add admin
+ admin = new UserModel("admin");
+ admin.password = "secret";
+ admin.canAdmin = true;
+ admin.excludeFromFederation = true;
+
+ service.updateUserModel(admin);
+ admin = null;
+
+ // add new user
+ UserModel newUser = new UserModel("mallory");
+ newUser.password = "password";
+ newUser.emailAddress = "mallory@example.com";
+ newUser.addRepositoryPermission("repo1");
+ service.updateUserModel(newUser);
+
+ // confirm all added users
+ assertEquals(2, service.getAllUsernames().size());
+ assertTrue(service.getUserModel("admin") != null);
+ assertTrue(service.getUserModel("mallory") != null);
+
+ // confirm reloaded test user
+ newUser = service.getUserModel("mallory");
+ assertEquals("password", newUser.password);
+ assertEquals(1, newUser.permissions.size());
+ assertTrue(newUser.hasRepositoryPermission("repo1"));
+ assertFalse(newUser.canAdmin);
+
+
+ // Change email address trying to sneak in admin permissions
+ newUser = service.getUserModel("mallory");
+ newUser.emailAddress = "mallory@example.com\n\tpassword = easy\n\trole = \"#admin\"\n[user \"other\"]";
+ service.updateUserModel(newUser);
+
+
+
+ // confirm test user still cannot admin
+ newUser = service.getUserModel("mallory");
+ assertFalse(newUser.canAdmin);
+ assertEquals("password", newUser.password);
+
+ assertEquals(2, service.getAllUsernames().size());
+
+ }
+ finally {
+ file.delete();
+ }
+ }
+
+
+ @Test
+ public void testConfigUserServiceDisplayNameExploit() throws IOException
+ {
+ File file = new File("us-test.conf");
+ file.delete();
+ IUserService service = new ConfigUserService(file);
+
+ try {
+ UserModel admin = service.getUserModel("admin");
+ assertTrue(admin == null);
+
+ // add admin
+ admin = new UserModel("admin");
+ admin.password = "secret";
+ admin.canAdmin = true;
+ admin.excludeFromFederation = true;
+
+ service.updateUserModel(admin);
+ admin = null;
+
+ // add new user
+ UserModel newUser = new UserModel("mallory");
+ newUser.password = "password";
+ newUser.emailAddress = "mallory@example.com";
+ newUser.addRepositoryPermission("repo1");
+ service.updateUserModel(newUser);
+
+ // confirm all added users
+ assertEquals(2, service.getAllUsernames().size());
+ assertTrue(service.getUserModel("admin") != null);
+ assertTrue(service.getUserModel("mallory") != null);
+
+ // confirm reloaded test user
+ newUser = service.getUserModel("mallory");
+ assertEquals("password", newUser.password);
+ assertEquals(1, newUser.permissions.size());
+ assertTrue(newUser.hasRepositoryPermission("repo1"));
+ assertFalse(newUser.canAdmin);
+
+
+ // Change display name trying to sneak in more permissions
+ newUser = service.getUserModel("mallory");
+ newUser.displayName = "Attacker\n\tpassword = easy\n\trepository = RW+:repo1\n\trepository = RW+:repo2\n[user \"noone\"]";
+ service.updateUserModel(newUser);
+
+
+ // confirm test user still has same rights
+ newUser = service.getUserModel("mallory");
+ assertEquals("password", newUser.password);
+ assertEquals(1, newUser.permissions.size());
+ assertTrue(newUser.hasRepositoryPermission("repo1"));
+ assertFalse(newUser.canAdmin);
+
+ assertEquals(2, service.getAllUsernames().size());
+ }
+ finally {
+ file.delete();
+ }
+ }
+
+
+}
+