mugit: testscript/ssh-push.txtar (6bb47d39fa03e2384242dffa38ce0cc1215e7f1f)

mugit/testscript/ssh-push.txtar (view raw)

Oleksandr Smirnov ssh: make sure there's no shell injections with SSH_ORIGINAL_COMMAND, 1 month ago

git init local
cp file.txt local/file.txt
git -C local add file.txt
git -C local commit -m initial

mugit repo new ssh-push
exec env GIT_SSH_COMMAND=$SSH_WRAPPER git -C local push git@localhost:ssh-push.git master

exec git clone $MURL/ssh-push verify-clone
exists verify-clone/file.txt
exec cat verify-clone/file.txt
stdout 'hello from ssh'


# auto initializing on first push
git init local2
cp file.txt local2/file.txt
git -C local2 add file.txt
git -C local2 commit -m initial


exec env GIT_SSH_COMMAND=$SSH_WRAPPER git -C local2 push git@localhost:auto-init master
stderr 'info: auto-initializing auto-init'
exists $REPOS/auto-init.git/HEAD

# subsequent pushes should not re-initialize
cp file2.txt local2/file2.txt
git -C local2 add file2.txt
git -C local2 commit -m second

exec env GIT_SSH_COMMAND=$SSH_WRAPPER git -C local2 push git@localhost:auto-init master
! stderr 'auto-initializing auto-init'


# verify pushed content is available
exec env GIT_SSH_COMMAND=$SSH_WRAPPER git clone git@localhost:auto-init verify-auto-init
exists verify-auto-init/file.txt
exists verify-auto-init/file2.txt


# should not allow execution of commands
! exec $SSH_WRAPPER ignored 'echo hi'
stderr 'access denied:'

# should not accept command chaining after git command
! exec $SSH_WRAPPER ignored 'git-receive-pack auto-init.git && echo hi'
stderr 'access denied: invalid command'


-- file.txt --
hello from ssh

-- file2.txt --
hello second push

1	git init local
2	cp file.txt local/file.txt
3	git -C local add file.txt
4	git -C local commit -m initial
5
6	mugit repo new ssh-push
7	exec env GIT_SSH_COMMAND=$SSH_WRAPPER git -C local push git@localhost:ssh-push.git master
8
9	exec git clone $MURL/ssh-push verify-clone
10	exists verify-clone/file.txt
11	exec cat verify-clone/file.txt
12	stdout 'hello from ssh'
13
14
15	# auto initializing on first push
16	git init local2
17	cp file.txt local2/file.txt
18	git -C local2 add file.txt
19	git -C local2 commit -m initial
20
21
22	exec env GIT_SSH_COMMAND=$SSH_WRAPPER git -C local2 push git@localhost:auto-init master
23	stderr 'info: auto-initializing auto-init'
24	exists $REPOS/auto-init.git/HEAD
25
26	# subsequent pushes should not re-initialize
27	cp file2.txt local2/file2.txt
28	git -C local2 add file2.txt
29	git -C local2 commit -m second
30
31	exec env GIT_SSH_COMMAND=$SSH_WRAPPER git -C local2 push git@localhost:auto-init master
32	! stderr 'auto-initializing auto-init'
33
34
35	# verify pushed content is available
36	exec env GIT_SSH_COMMAND=$SSH_WRAPPER git clone git@localhost:auto-init verify-auto-init
37	exists verify-auto-init/file.txt
38	exists verify-auto-init/file2.txt
39
40
41	# should not allow execution of commands
42	! exec $SSH_WRAPPER ignored 'echo hi'
43	stderr 'access denied:'
44
45	# should not accept command chaining after git command
46	! exec $SSH_WRAPPER ignored 'git-receive-pack auto-init.git && echo hi'
47	stderr 'access denied: invalid command'
48
49
50	-- file.txt --
51	hello from ssh
52
53	-- file2.txt --
54	hello second push