aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTommi Virtanen <tv@eagain.net>2008-03-19 21:52:03 +0200
committerTommi Virtanen <tv@eagain.net>2008-03-19 21:52:03 +0200
commitf839f889b607c9920659516959795859aab0a86e (patch)
tree6d00edbdaac32e16b6d64f6ba0437b79901959ec
parentTest that incoming paths cannot contain /../ (diff)
downloadgitosis-gentoo-f839f889b607c9920659516959795859aab0a86e.zip
gitosis-gentoo-f839f889b607c9920659516959795859aab0a86e.tar.gz
gitosis-gentoo-f839f889b607c9920659516959795859aab0a86e.tar.bz2
Make serve acceptable path unit tests more careful.
Tests used to trigger the wanted security exception merely by being unquoted, that's not good enough.
-rw-r--r--gitosis/test/test_serve.py30
1 files changed, 27 insertions, 3 deletions
diff --git a/gitosis/test/test_serve.py b/gitosis/test/test_serve.py
index cf54cc6..23b6a6f 100644
--- a/gitosis/test/test_serve.py
+++ b/gitosis/test/test_serve.py
@@ -45,14 +45,38 @@ def test_bad_command():
eq(str(e), 'Unknown command denied')
assert isinstance(e, serve.ServingError)
-def test_bad_unsafeArguments():
+def test_bad_unsafeArguments_notQuoted():
cfg = RawConfigParser()
e = assert_raises(
serve.UnsafeArgumentsError,
serve.serve,
cfg=cfg,
user='jdoe',
- command='git-upload-pack /evil/attack',
+ command="git-upload-pack foo",
+ )
+ eq(str(e), 'Arguments to command look dangerous')
+ assert isinstance(e, serve.ServingError)
+
+def test_bad_unsafeArguments_absolute():
+ cfg = RawConfigParser()
+ e = assert_raises(
+ serve.UnsafeArgumentsError,
+ serve.serve,
+ cfg=cfg,
+ user='jdoe',
+ command="git-upload-pack '/evil/attack'",
+ )
+ eq(str(e), 'Arguments to command look dangerous')
+ assert isinstance(e, serve.ServingError)
+
+def test_bad_unsafeArguments_badCharacters():
+ cfg = RawConfigParser()
+ e = assert_raises(
+ serve.UnsafeArgumentsError,
+ serve.serve,
+ cfg=cfg,
+ user='jdoe',
+ command="git-upload-pack 'ev!l'",
)
eq(str(e), 'Arguments to command look dangerous')
assert isinstance(e, serve.ServingError)
@@ -64,7 +88,7 @@ def test_bad_unsafeArguments_dotdot():
serve.serve,
cfg=cfg,
user='jdoe',
- command='git-upload-pack something/../evil',
+ command="git-upload-pack 'something/../evil'",
)
eq(str(e), 'Arguments to command look dangerous')
assert isinstance(e, serve.ServingError)