def test_git_cmd_injection(self):
repo_inject_path = 'file:/%s; echo "Cake";' % TEST_GIT_REPO
with pytest.raises(RepositoryError):
# Should fail because URL will contain the parts after ; too
GitRepository(get_new_dir('injection-repo'), src_url=repo_inject_path, update_after_clone=True, create=True)
with pytest.raises(RepositoryError):
# Should fail on direct clone call, which as of this writing does not happen outside of class
clone_fail_repo = GitRepository(get_new_dir('injection-repo'), create=True)
clone_fail_repo.clone(repo_inject_path, update_after_clone=True,)
# Verify correct quoting of evil characters that should work on posix file systems
if sys.platform == 'win32':
# windows does not allow '"' in dir names
# and some versions of the git client don't like ` and '
tricky_path = get_new_dir("tricky-path-repo-$")
else:
tricky_path = get_new_dir("tricky-path-repo-$'\"`")
successfully_cloned = GitRepository(tricky_path, src_url=TEST_GIT_REPO, update_after_clone=True, create=True)
# Repo should have been created
assert not successfully_cloned._repo.bare
if sys.platform == 'win32':
# windows does not allow '"' in dir names
# and some versions of the git client don't like ` and '
tricky_path_2 = get_new_dir("tricky-path-2-repo-$")
else:
tricky_path_2 = get_new_dir("tricky-path-2-repo-$'\"`")
successfully_cloned2 = GitRepository(tricky_path_2, src_url=tricky_path, bare=True, create=True)
# Repo should have been created and thus used correct quoting for clone
assert successfully_cloned2._repo.bare
# Should pass because URL has been properly quoted
successfully_cloned.pull(tricky_path_2)
successfully_cloned2.fetch(tricky_path)
def test_git_cmd_injection(self):
repo_inject_path = TEST_GIT_REPO + '; echo "Cake";'
with self.assertRaises(urllib2.URLError):
# Should fail because URL will contain the parts after ; too
urlerror_fail_repo = GitRepository(get_new_dir('injection-repo'), src_url=repo_inject_path, update_after_clone=True, create=True)
with self.assertRaises(RepositoryError):
# Should fail on direct clone call, which as of this writing does not happen outside of class
clone_fail_repo = GitRepository(get_new_dir('injection-repo'), create=True)
clone_fail_repo.clone(repo_inject_path, update_after_clone=True,)
# Verify correct quoting of evil characters that should work on posix file systems
tricky_path = get_new_dir("tricky-path-repo-$'\"`")
successfully_cloned = GitRepository(tricky_path, src_url=TEST_GIT_REPO, update_after_clone=True, create=True)
# Repo should have been created
self.assertFalse(successfully_cloned._repo.bare)
tricky_path_2 = get_new_dir("tricky-path-2-repo-$'\"`")
successfully_cloned2 = GitRepository(tricky_path_2, src_url=tricky_path, bare=True, create=True)
# Repo should have been created and thus used correct quoting for clone
self.assertTrue(successfully_cloned2._repo.bare)
# Should pass because URL has been properly quoted
successfully_cloned.pull(tricky_path_2)
successfully_cloned2.fetch(tricky_path)