def test_check_squashfs_files_unsquashfs_failed(self):
'''Test check_squashfs_files()'''
output_dir = self.mkdtemp()
package = utils.make_snap2(output_dir=output_dir)
c = SnapReviewSecurity(package)
# fake unsquashfs
unsquashfs = os.path.join(output_dir, 'unsquashfs')
content = '''#!/bin/sh
echo test error: unsquashfs failure
exit 1
'''
with open(unsquashfs, 'w') as f:
f.write(content)
os.chmod(unsquashfs, 0o775)
old_path = os.environ['PATH']
if old_path:
os.environ['PATH'] = "%s:%s" % (output_dir, os.environ['PATH'])
else:
os.environ['PATH'] = output_dir # pragma: nocover
c.check_squashfs_files()
os.environ['PATH'] = old_path
report = c.click_report
expected_counts = {'info': None, 'warn': 0, 'error': 1}
self.check_results(report, expected_counts)
def test_check_squashfs_files(self):
'''Test check_squashfs_files()'''
output_dir = self.mkdtemp()
package = utils.make_snap2(output_dir=output_dir)
c = SnapReviewSecurity(package)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': 1, 'warn': 0, 'error': 0}
self.check_results(report, expected_counts)
def test_check_squashfs_files_short_output(self):
'''Test check_squashfs_files() - short output'''
out = '''output
too
short
'''
self.set_test_unsquashfs_lls(out)
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': None, 'warn': 0, 'error': 1}
self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_sticky_dir(self):
'''Test check_squashfs_files() - mode - sticky dir'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
drwxrwxrwt root/root 38 2016-03-11 12:25 squashfs-root/foo
'''
self.set_test_unsquashfs_lls(out)
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': 1, 'warn': 0, 'error': 0}
self.check_results(report, expected_counts)
def test_check_squashfs_files_user_other_os(self):
'''Test check_squashfs_files() - user - other os'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
-rw-rw-r-- other/root 8 2016-03-11 12:25 squashfs-root/foo
'''
self.set_test_unsquashfs_lls(out)
self.set_test_snap_yaml("type", "os")
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': 1, 'warn': 0, 'error': 0}
self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_openwrt_tmp(self):
'''Test check_squashfs_files() - mode - openwrt /tmp'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
-rwxrwxrwt root/root 14528 2016-08-02 18:18 squashfs-root/rootfs/tmp
'''
self.set_test_unsquashfs_lls(out)
self.set_test_snap_yaml("name", "openwrt")
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': 1, 'warn': 0, 'error': 0}
self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_suid_ubuntu_core_sudo(self):
'''Test check_squashfs_files() - mode - sudo suid on ubuntu-core'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
-rwsr-xr-x root/root 38 2016-03-11 12:25 squashfs-root/usr/bin/sudo
'''
self.set_test_unsquashfs_lls(out)
self.set_test_snap_yaml("name", "ubuntu-core")
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': 1, 'warn': 0, 'error': 0}
self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_suid_chrome_test_sandbox(self):
'''Test check_squashfs_files() - mode - chrome-sandbox with chrome-test
'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
-rwsr-xr-x root/root 14528 2016-08-02 18:18 squashfs-root/opt/google/chrome/chrome-sandbox
'''
self.set_test_unsquashfs_lls(out)
self.set_test_snap_yaml("name", "chrome-test")
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': 1, 'warn': 0, 'error': 0}
self.check_results(report, expected_counts)
def test_check_squashfs_files_bad_time(self):
'''Test check_squashfs_files() - bad time'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
-rw-rw-rw- root/root 8 2016-03-11 z2:25 squashfs-root/foo
'''
self.set_test_unsquashfs_lls(out)
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': None, 'warn': 0, 'error': 1}
self.check_results(report, expected_counts)
expected = dict()
expected['error'] = dict()
expected['warn'] = dict()
expected['info'] = dict()
name = 'security-snap-v2:squashfs_files_malformed_line'
expected['error'][name] = {"text": "malformed lines in unsquashfs output: 'time 'z2:25' malformed for './foo''"}
self.check_results(report, expected=expected)
def test_check_squashfs_files_bad_group(self):
'''Test check_squashfs_files() - bad group'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
-rw-rw-r-- root/bad 8 2016-03-11 12:25 squashfs-root/foo
'''
self.set_test_unsquashfs_lls(out)
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': None, 'warn': 0, 'error': 1}
self.check_results(report, expected_counts)
expected = dict()
expected['error'] = dict()
expected['warn'] = dict()
expected['info'] = dict()
name = 'security-snap-v2:squashfs_files'
expected['error'][name] = {"text": "found errors in file output: unusual user/group 'root/bad' for './foo'"}
self.check_results(report, expected=expected)
def test_check_squashfs_files_bad_type_socket(self):
'''Test check_squashfs_files() - bad type - block'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
srw-rw-rw- root/root 8, 0 2016-03-11 12:25 squashfs-root/foo
'''
self.set_test_unsquashfs_lls(out)
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': None, 'warn': 0, 'error': 1}
self.check_results(report, expected_counts)
expected = dict()
expected['error'] = dict()
expected['warn'] = dict()
expected['info'] = dict()
name = 'security-snap-v2:squashfs_files'
expected['error'][name] = {"text": "found errors in file output: file type 's' not allowed (./foo)"}
self.check_results(report, expected=expected)
def test_check_squashfs_files_bad_mode_invalid_type(self):
'''Test check_squashfs_files() - bad mode - invalid type'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
:rwxrwxr-x root/root 38 2016-03-11 12:25 squashfs-root/foo
'''
self.set_test_unsquashfs_lls(out)
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': None, 'warn': 0, 'error': 1}
self.check_results(report, expected_counts)
expected = dict()
expected['error'] = dict()
expected['warn'] = dict()
expected['info'] = dict()
name = 'security-snap-v2:squashfs_files'
expected['error'][name] = {"text": "found errors in file output: unknown type ':' for entry './foo'"}
self.check_results(report, expected=expected)
def test_check_squashfs_files(self):
'''Test check_squashfs_files()'''
out = '''Parallel unsquashfs: Using 4 processors
8 inodes (8 blocks) to write
drwxrwxr-x root/root 38 2016-03-11 12:25 squashfs-root
drwxrwxr-x root/root 88 2016-03-03 13:51 squashfs-root/bin
-rwxrwxr-x root/root 31 2016-02-12 10:07 squashfs-root/bin/echo
-rwxrwxr-x root/root 27 2016-02-12 10:07 squashfs-root/bin/env
-rwxrwxr-x root/root 274 2016-02-12 10:07 squashfs-root/bin/evil
-rwxrwxr-x root/root 209 2016-03-11 12:26 squashfs-root/bin/sh
-rwxrwxr-x root/root 436 2016-02-12 10:19 squashfs-root/bin/showdev
-rwxrwxr-x root/root 701 2016-02-12 10:19 squashfs-root/bin/usehw
drwxrwxr-x root/root 48 2016-03-11 12:26 squashfs-root/meta
-rw-rw-r-- root/root 18267 2016-02-12 10:07 squashfs-root/meta/icon.png
-rw-rw-r-- root/root 813 2016-03-11 12:26 squashfs-root/meta/snap.yaml
'''
self.set_test_unsquashfs_lls(out)
c = SnapReviewSecurity(self.test_name)
c.check_squashfs_files()
report = c.click_report
expected_counts = {'info': 1, 'warn': 0, 'error': 0}
self.check_results(report, expected_counts)
