def test_check_squashfs_files_unsquashfs_failed(self): '''Test check_squashfs_files()''' output_dir = self.mkdtemp() package = utils.make_snap2(output_dir=output_dir) c = SnapReviewSecurity(package) # fake unsquashfs unsquashfs = os.path.join(output_dir, 'unsquashfs') content = '''#!/bin/sh echo test error: unsquashfs failure exit 1 ''' with open(unsquashfs, 'w') as f: f.write(content) os.chmod(unsquashfs, 0o775) old_path = os.environ['PATH'] if old_path: os.environ['PATH'] = "%s:%s" % (output_dir, os.environ['PATH']) else: os.environ['PATH'] = output_dir # pragma: nocover c.check_squashfs_files() os.environ['PATH'] = old_path report = c.click_report expected_counts = {'info': None, 'warn': 0, 'error': 1} self.check_results(report, expected_counts)
def test_check_squashfs_files(self): '''Test check_squashfs_files()''' output_dir = self.mkdtemp() package = utils.make_snap2(output_dir=output_dir) c = SnapReviewSecurity(package) c.check_squashfs_files() report = c.click_report expected_counts = {'info': 1, 'warn': 0, 'error': 0} self.check_results(report, expected_counts)
def test_check_squashfs_files_short_output(self): '''Test check_squashfs_files() - short output''' out = '''output too short ''' self.set_test_unsquashfs_lls(out) c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': None, 'warn': 0, 'error': 1} self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_sticky_dir(self): '''Test check_squashfs_files() - mode - sticky dir''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write drwxrwxrwt root/root 38 2016-03-11 12:25 squashfs-root/foo ''' self.set_test_unsquashfs_lls(out) c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': 1, 'warn': 0, 'error': 0} self.check_results(report, expected_counts)
def test_check_squashfs_files_user_other_os(self): '''Test check_squashfs_files() - user - other os''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write -rw-rw-r-- other/root 8 2016-03-11 12:25 squashfs-root/foo ''' self.set_test_unsquashfs_lls(out) self.set_test_snap_yaml("type", "os") c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': 1, 'warn': 0, 'error': 0} self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_openwrt_tmp(self): '''Test check_squashfs_files() - mode - openwrt /tmp''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write -rwxrwxrwt root/root 14528 2016-08-02 18:18 squashfs-root/rootfs/tmp ''' self.set_test_unsquashfs_lls(out) self.set_test_snap_yaml("name", "openwrt") c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': 1, 'warn': 0, 'error': 0} self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_suid_ubuntu_core_sudo(self): '''Test check_squashfs_files() - mode - sudo suid on ubuntu-core''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write -rwsr-xr-x root/root 38 2016-03-11 12:25 squashfs-root/usr/bin/sudo ''' self.set_test_unsquashfs_lls(out) self.set_test_snap_yaml("name", "ubuntu-core") c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': 1, 'warn': 0, 'error': 0} self.check_results(report, expected_counts)
def test_check_squashfs_files_mode_suid_chrome_test_sandbox(self): '''Test check_squashfs_files() - mode - chrome-sandbox with chrome-test ''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write -rwsr-xr-x root/root 14528 2016-08-02 18:18 squashfs-root/opt/google/chrome/chrome-sandbox ''' self.set_test_unsquashfs_lls(out) self.set_test_snap_yaml("name", "chrome-test") c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': 1, 'warn': 0, 'error': 0} self.check_results(report, expected_counts)
def test_check_squashfs_files_bad_time(self): '''Test check_squashfs_files() - bad time''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write -rw-rw-rw- root/root 8 2016-03-11 z2:25 squashfs-root/foo ''' self.set_test_unsquashfs_lls(out) c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': None, 'warn': 0, 'error': 1} self.check_results(report, expected_counts) expected = dict() expected['error'] = dict() expected['warn'] = dict() expected['info'] = dict() name = 'security-snap-v2:squashfs_files_malformed_line' expected['error'][name] = {"text": "malformed lines in unsquashfs output: 'time 'z2:25' malformed for './foo''"} self.check_results(report, expected=expected)
def test_check_squashfs_files_bad_group(self): '''Test check_squashfs_files() - bad group''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write -rw-rw-r-- root/bad 8 2016-03-11 12:25 squashfs-root/foo ''' self.set_test_unsquashfs_lls(out) c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': None, 'warn': 0, 'error': 1} self.check_results(report, expected_counts) expected = dict() expected['error'] = dict() expected['warn'] = dict() expected['info'] = dict() name = 'security-snap-v2:squashfs_files' expected['error'][name] = {"text": "found errors in file output: unusual user/group 'root/bad' for './foo'"} self.check_results(report, expected=expected)
def test_check_squashfs_files_bad_type_socket(self): '''Test check_squashfs_files() - bad type - block''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write srw-rw-rw- root/root 8, 0 2016-03-11 12:25 squashfs-root/foo ''' self.set_test_unsquashfs_lls(out) c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': None, 'warn': 0, 'error': 1} self.check_results(report, expected_counts) expected = dict() expected['error'] = dict() expected['warn'] = dict() expected['info'] = dict() name = 'security-snap-v2:squashfs_files' expected['error'][name] = {"text": "found errors in file output: file type 's' not allowed (./foo)"} self.check_results(report, expected=expected)
def test_check_squashfs_files_bad_mode_invalid_type(self): '''Test check_squashfs_files() - bad mode - invalid type''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write :rwxrwxr-x root/root 38 2016-03-11 12:25 squashfs-root/foo ''' self.set_test_unsquashfs_lls(out) c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': None, 'warn': 0, 'error': 1} self.check_results(report, expected_counts) expected = dict() expected['error'] = dict() expected['warn'] = dict() expected['info'] = dict() name = 'security-snap-v2:squashfs_files' expected['error'][name] = {"text": "found errors in file output: unknown type ':' for entry './foo'"} self.check_results(report, expected=expected)
def test_check_squashfs_files(self): '''Test check_squashfs_files()''' out = '''Parallel unsquashfs: Using 4 processors 8 inodes (8 blocks) to write drwxrwxr-x root/root 38 2016-03-11 12:25 squashfs-root drwxrwxr-x root/root 88 2016-03-03 13:51 squashfs-root/bin -rwxrwxr-x root/root 31 2016-02-12 10:07 squashfs-root/bin/echo -rwxrwxr-x root/root 27 2016-02-12 10:07 squashfs-root/bin/env -rwxrwxr-x root/root 274 2016-02-12 10:07 squashfs-root/bin/evil -rwxrwxr-x root/root 209 2016-03-11 12:26 squashfs-root/bin/sh -rwxrwxr-x root/root 436 2016-02-12 10:19 squashfs-root/bin/showdev -rwxrwxr-x root/root 701 2016-02-12 10:19 squashfs-root/bin/usehw drwxrwxr-x root/root 48 2016-03-11 12:26 squashfs-root/meta -rw-rw-r-- root/root 18267 2016-02-12 10:07 squashfs-root/meta/icon.png -rw-rw-r-- root/root 813 2016-03-11 12:26 squashfs-root/meta/snap.yaml ''' self.set_test_unsquashfs_lls(out) c = SnapReviewSecurity(self.test_name) c.check_squashfs_files() report = c.click_report expected_counts = {'info': 1, 'warn': 0, 'error': 0} self.check_results(report, expected_counts)