# HG changeset patch # User Mads Kiilerich # Date 1406677892 -7200 # Node ID df33fcf96df2cab5626c52534f6b462d8973367e # Parent a6dfd14d4b20d1930387d3dc0a3332ea139a838d git: rework tests to use local repos instead of accessing github ... and add missing quote found by this diff -r a6dfd14d4b20 -r df33fcf96df2 kallithea/lib/vcs/backends/git/repository.py --- a/kallithea/lib/vcs/backends/git/repository.py Fri Jul 18 14:10:58 2014 -0700 +++ b/kallithea/lib/vcs/backends/git/repository.py Wed Jul 30 01:51:32 2014 +0200 @@ -660,7 +660,7 @@ cmd.append('--bare') elif not update_after_clone: cmd.append('--no-checkout') - cmd += ['--', quote(url), self.path] + cmd += ['--', quote(url), quote(self.path)] cmd = ' '.join(cmd) # If error occurs run_git_command raises RepositoryError already self.run_git_command(cmd) diff -r a6dfd14d4b20 -r df33fcf96df2 kallithea/tests/vcs/test_git.py --- a/kallithea/tests/vcs/test_git.py Fri Jul 18 14:10:58 2014 -0700 +++ b/kallithea/tests/vcs/test_git.py Wed Jul 30 01:51:32 2014 +0200 @@ -28,30 +28,30 @@ self.assertRaises(RepositoryError, GitRepository, wrong_repo_path) def test_git_cmd_injection(self): - remote_repo_url = 'https://github.com/codeinn/vcs.git' - inject_remote = '%s;%s' % (remote_repo_url, '; echo "Cake";') + repo_inject_path = TEST_GIT_REPO + '; echo "Cake";' with self.assertRaises(urllib2.URLError): - # Should fail because URL will be: https://github.com/codeinn/vcs.git%3B%3B%20echo%20%22Cake%22%3B - urlerror_fail_repo = GitRepository(get_new_dir('injection-repo'), src_url=inject_remote, update_after_clone=True, create=True) + # Should fail because URL will contain the parts after ; too + urlerror_fail_repo = GitRepository(get_new_dir('injection-repo'), src_url=repo_inject_path, update_after_clone=True, create=True) with self.assertRaises(RepositoryError): # Should fail on direct clone call, which as of this writing does not happen outside of class clone_fail_repo = GitRepository(get_new_dir('injection-repo'), create=True) - clone_fail_repo.clone(inject_remote, update_after_clone=True,) + clone_fail_repo.clone(repo_inject_path, update_after_clone=True,) - successfully_cloned = GitRepository(get_new_dir('injection-repo'), src_url=remote_repo_url, update_after_clone=True, create=True) + # Verify correct quoting of evil characters that should work on posix file systems + tricky_path = get_new_dir("tricky-path-repo-$'\"`") + successfully_cloned = GitRepository(tricky_path, src_url=TEST_GIT_REPO, update_after_clone=True, create=True) # Repo should have been created self.assertFalse(successfully_cloned._repo.bare) - with self.assertRaises(RepositoryError): - # Should fail because URL will be invalid repo - inject_remote_var = '%s;%s' % (remote_repo_url, '; echo $PATH;') - successfully_cloned.fetch(inject_remote_var) + tricky_path_2 = get_new_dir("tricky-path-2-repo-$'\"`") + successfully_cloned2 = GitRepository(tricky_path_2, src_url=tricky_path, bare=True, create=True) + # Repo should have been created and thus used correct quoting for clone + self.assertTrue(successfully_cloned2._repo.bare) - with self.assertRaises(RepositoryError): - # Should fail because URL will be invalid repo - inject_remote_ls = '%s;%s' % (remote_repo_url, '; ls -1 ~;') - successfully_cloned.pull(inject_remote_ls) + # Should pass because URL has been properly quoted + successfully_cloned.pull(tricky_path_2) + successfully_cloned2.fetch(tricky_path) def test_repo_clone(self): self.__check_for_existing_repo()