diff options
| author | Toshi MARUYAMA <marutosijp2@yahoo.co.jp> | 2017-12-07 12:15:45 +0000 |
|---|---|---|
| committer | Toshi MARUYAMA <marutosijp2@yahoo.co.jp> | 2017-12-07 12:15:45 +0000 |
| commit | 76dd10bd78bd43a458a9e72f6cc492e7e109f7c1 (patch) | |
| tree | 412ccd12ebc2fd7dbf269b397b3db964b944ade9 /test | |
| parent | 2e8d269c057c1a78499d6b60f313a39f6ac0b570 (diff) | |
| download | redmine-76dd10bd78bd43a458a9e72f6cc492e7e109f7c1.tar.gz redmine-76dd10bd78bd43a458a9e72f6cc492e7e109f7c1.zip | |
Merged r17060 from trunk to 3.4-stable (#27516)
mercurial: reject malicious command argument
We've got a security report from the Phabricator team, which basically says
--config and --debugger arguments can be injected anywhere to lead to an
arbitrary command execution.
https://secure.phabricator.com/rPa7921a4448093d00defa8bd18f35b8c8f8bf3314
This is a fundamental issue of the argument parsing rules in Mercurial, which
allows extensions to populate their parsing rules and such extensions can be
loaded by "--config extensions.<name>=". There's a chicken and egg problem.
We're working on hardening the parsing rules, but which won't come in by
default as it would be a behavior change.
This patch adds a verification to reject malicious command arguments as a
last ditch. The subsequent patches will fix the problem in more appropriate
way.
Contributed by Yuya Nishihara.
git-svn-id: http://svn.redmine.org/redmine/branches/3.4-stable@17066 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test')
| -rw-r--r-- | test/unit/lib/redmine/scm/adapters/mercurial_adapter_test.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/test/unit/lib/redmine/scm/adapters/mercurial_adapter_test.rb b/test/unit/lib/redmine/scm/adapters/mercurial_adapter_test.rb index 0512cc74c..e0458ce55 100644 --- a/test/unit/lib/redmine/scm/adapters/mercurial_adapter_test.rb +++ b/test/unit/lib/redmine/scm/adapters/mercurial_adapter_test.rb @@ -21,6 +21,7 @@ class MercurialAdapterTest < ActiveSupport::TestCase HELPERS_DIR = Redmine::Scm::Adapters::MercurialAdapter::HELPERS_DIR TEMPLATE_NAME = Redmine::Scm::Adapters::MercurialAdapter::TEMPLATE_NAME TEMPLATE_EXTENSION = Redmine::Scm::Adapters::MercurialAdapter::TEMPLATE_EXTENSION + HgCommandArgumentError = Redmine::Scm::Adapters::MercurialAdapter::HgCommandArgumentError REPOSITORY_PATH = repository_path('mercurial') CHAR_1_HEX = "\xc3\x9c" @@ -443,6 +444,24 @@ class MercurialAdapterTest < ActiveSupport::TestCase assert_equal "UTF-8", adpt2.path_encoding end + def test_bad_early_options + assert_raise HgCommandArgumentError do + @adapter.diff('sources/welcome_controller.rb', '--config=alias.rhdiff=!xterm') + end + assert_raise HgCommandArgumentError do + @adapter.entries('--debugger') + end + assert_raise HgCommandArgumentError do + @adapter.revisions(nil, nil, nil, limit: '--repo=otherrepo') + end + assert_raise HgCommandArgumentError do + @adapter.nodes_in_branch('default', limit: '--repository=otherrepo') + end + assert_raise HgCommandArgumentError do + @adapter.nodes_in_branch('-Rotherrepo') + end + end + private def test_hgversion_for(hgversion, version) |