This repository has been archived by the owner on Jul 24, 2020. It is now read-only.
/
test-illegal-contents.t
117 lines (108 loc) · 3.35 KB
/
test-illegal-contents.t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Check for contents we should refuse to export to git repositories (or
at least warn).
Load commonly used test logic
$ . "$TESTDIR/testutil"
$ hg init hg
$ cd hg
$ mkdir -p .git/hooks
$ cat > .git/hooks/post-update <<EOF
> #!/bin/sh
> echo pwned
> EOF
$ hg addremove
adding .git/hooks/post-update
$ hg ci -m "we should refuse to export this"
$ hg book master
$ hg gexport
abort: Refusing to export likely-dangerous path '.git/hooks/post-update'
(If you need to continue, read about CVE-2014-9390 and then set '[git] blockdotgit = false' in your hgrc.)
[255]
$ cd ..
$ rm -rf hg
$ hg init hg
$ cd hg
$ mkdir -p nested/.git/hooks/
$ cat > nested/.git/hooks/post-update <<EOF
> #!/bin/sh
> echo pwnd
> EOF
$ chmod +x nested/.git/hooks/post-update
$ hg addremove
adding nested/.git/hooks/post-update
$ hg ci -m "also refuse to export this"
$ hg book master
$ hg gexport
abort: Refusing to export likely-dangerous path 'nested/.git/hooks/post-update'
(If you need to continue, read about CVE-2014-9390 and then set '[git] blockdotgit = false' in your hgrc.)
[255]
We can override if needed:
$ hg --config git.blockdotgit=false gexport
warning: path 'nested/.git/hooks/post-update' contains a potentially dangerous path component.
It may not be legal to check out in Git.
It may also be rejected by some git server configurations.
$ cd ..
$ git clone hg/.hg/git git
Cloning into 'git'...
done.
error: Invalid path 'nested/.git/hooks/post-update'
Now check something that case-folds to .git, which might let you own
Mac users:
$ cd ..
$ rm -rf hg
$ hg init hg
$ cd hg
$ mkdir -p .GIT/hooks/
$ cat > .GIT/hooks/post-checkout <<EOF
> #!/bin/sh
> echo pwnd
> EOF
$ chmod +x .GIT/hooks/post-checkout
$ hg addremove
adding .GIT/hooks/post-checkout
$ hg ci -m "also refuse to export this"
$ hg book master
$ hg gexport
$ cd ..
And the NTFS case:
$ cd ..
$ rm -rf hg
$ hg init hg
$ cd hg
$ mkdir -p GIT~1/hooks/
$ cat > GIT~1/hooks/post-checkout <<EOF
> #!/bin/sh
> echo pwnd
> EOF
$ chmod +x GIT~1/hooks/post-checkout
$ hg addremove
adding GIT~1/hooks/post-checkout
$ hg ci -m "also refuse to export this"
$ hg book master
$ hg gexport
abort: Refusing to export likely-dangerous path 'GIT~1/hooks/post-checkout'
(If you need to continue, read about CVE-2014-9390 and then set '[git] blockdotgit = false' in your hgrc.)
[255]
$ cd ..
Now check a Git repository containing a Mercurial repository, which
you can't check out.
$ rm -rf hg git nested
$ git init -q git
$ hg init nested
$ mv nested git
$ cd git
$ git add nested
$ fn_git_commit -m 'add a Mercurial repository'
$ cd ..
$ hg clone git hg
importing git objects into hg
abort: Refusing to import problematic path 'nested/.hg/00changelog.i'
(Mercurial cannot check out paths inside nested repositories; if you need to continue, then set '[git] blockdothg = false' in your hgrc.)
[255]
$ hg clone --config git.blockdothg=false git hg
importing git objects into hg
warning: path 'nested/.hg/00changelog.i' is within a nested repository, which Mercurial cannot check out.
warning: path 'nested/.hg/requires' is within a nested repository, which Mercurial cannot check out.
updating to branch default
abort: path 'nested/.hg/00changelog.i' is inside nested repo 'nested'
[255]
$ cd ..