diff options
| author | Tommi Virtanen <tv@eagain.net> | 2008-03-19 21:52:03 +0200 |
|---|---|---|
| committer | Tommi Virtanen <tv@eagain.net> | 2008-03-19 21:52:03 +0200 |
| commit | f839f889b607c9920659516959795859aab0a86e (patch) | |
| tree | 6d00edbdaac32e16b6d64f6ba0437b79901959ec | |
| parent | Test that incoming paths cannot contain /../ (diff) | |
| download | gitosis-dakkar-f839f889b607c9920659516959795859aab0a86e.tar.gz gitosis-dakkar-f839f889b607c9920659516959795859aab0a86e.tar.bz2 gitosis-dakkar-f839f889b607c9920659516959795859aab0a86e.zip | |
Make serve acceptable path unit tests more careful.
Tests used to trigger the wanted security exception merely by being
unquoted, that's not good enough.
| -rw-r--r-- | gitosis/test/test_serve.py | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/gitosis/test/test_serve.py b/gitosis/test/test_serve.py index cf54cc6..23b6a6f 100644 --- a/gitosis/test/test_serve.py +++ b/gitosis/test/test_serve.py @@ -45,14 +45,38 @@ def test_bad_command(): eq(str(e), 'Unknown command denied') assert isinstance(e, serve.ServingError) -def test_bad_unsafeArguments(): +def test_bad_unsafeArguments_notQuoted(): cfg = RawConfigParser() e = assert_raises( serve.UnsafeArgumentsError, serve.serve, cfg=cfg, user='jdoe', - command='git-upload-pack /evil/attack', + command="git-upload-pack foo", + ) + eq(str(e), 'Arguments to command look dangerous') + assert isinstance(e, serve.ServingError) + +def test_bad_unsafeArguments_absolute(): + cfg = RawConfigParser() + e = assert_raises( + serve.UnsafeArgumentsError, + serve.serve, + cfg=cfg, + user='jdoe', + command="git-upload-pack '/evil/attack'", + ) + eq(str(e), 'Arguments to command look dangerous') + assert isinstance(e, serve.ServingError) + +def test_bad_unsafeArguments_badCharacters(): + cfg = RawConfigParser() + e = assert_raises( + serve.UnsafeArgumentsError, + serve.serve, + cfg=cfg, + user='jdoe', + command="git-upload-pack 'ev!l'", ) eq(str(e), 'Arguments to command look dangerous') assert isinstance(e, serve.ServingError) @@ -64,7 +88,7 @@ def test_bad_unsafeArguments_dotdot(): serve.serve, cfg=cfg, user='jdoe', - command='git-upload-pack something/../evil', + command="git-upload-pack 'something/../evil'", ) eq(str(e), 'Arguments to command look dangerous') assert isinstance(e, serve.ServingError) |