From 7bc5366af1abb572238aa24dfe2552aed1fab966 Mon Sep 17 00:00:00 2001 From: Dominik Ritter Date: Thu, 15 Nov 2018 01:18:46 +0100 Subject: [PATCH 1/4] Add tests for branch name vulnerability --- test/segments/vcs-git.spec | 11 +++++++++++ test/segments/vcs-hg.spec | 13 ++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/test/segments/vcs-git.spec b/test/segments/vcs-git.spec index 17a277fb..bb51766c 100755 --- a/test/segments/vcs-git.spec +++ b/test/segments/vcs-git.spec @@ -490,4 +490,15 @@ function testDetectingUntrackedFilesInCleanSubdirectoryWorks() { assertEquals "%K{002} %F{000} master ? %k%F{002}%f " "$(build_left_prompt)" } +function testBranchNameScriptingVulnerability() { + echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh + chmod +x evil_script.sh + + git checkout -b "$(./evil_script.sh)" 2>/dev/null + git add . 2>/dev/null + git commit -m "Initial commit" >/dev/null + + assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(__p9k_build_left_prompt)" +} + source shunit2/shunit2 diff --git a/test/segments/vcs-hg.spec b/test/segments/vcs-hg.spec index 2903f544..53afbaac 100755 --- a/test/segments/vcs-hg.spec +++ b/test/segments/vcs-hg.spec @@ -204,4 +204,15 @@ function testBookmarkIconWorks() { assertEquals "%K{002} %F{000} default Binitial %k%F{002}%f " "$(build_left_prompt)" } -source shunit2/shunit2 \ No newline at end of file +function testBranchNameScriptingVulnerability() { + echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh + chmod +x evil_script.sh + + hg branch '$(./evil_script.sh)' >/dev/null + hg add . >/dev/null + hg commit -m "Initial commit" >/dev/null + + assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(build_left_prompt)" +} + +source shunit2/shunit2 From 1b7e41964c84b124e91fafec66230c7c678a4145 Mon Sep 17 00:00:00 2001 From: Dominik Ritter Date: Thu, 15 Nov 2018 01:55:42 +0100 Subject: [PATCH 2/4] Fix configuration errors in the tests --- test/segments/vcs-git.spec | 4 +++- test/segments/vcs-hg.spec | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/test/segments/vcs-git.spec b/test/segments/vcs-git.spec index bb51766c..bb2aef5b 100755 --- a/test/segments/vcs-git.spec +++ b/test/segments/vcs-git.spec @@ -491,6 +491,8 @@ function testDetectingUntrackedFilesInCleanSubdirectoryWorks() { } function testBranchNameScriptingVulnerability() { + local -a POWERLEVEL9K_LEFT_PROMPT_ELEMENTS + POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(vcs) echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh chmod +x evil_script.sh @@ -498,7 +500,7 @@ function testBranchNameScriptingVulnerability() { git add . 2>/dev/null git commit -m "Initial commit" >/dev/null - assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(__p9k_build_left_prompt)" + assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(build_left_prompt)" } source shunit2/shunit2 diff --git a/test/segments/vcs-hg.spec b/test/segments/vcs-hg.spec index 53afbaac..de7c5d38 100755 --- a/test/segments/vcs-hg.spec +++ b/test/segments/vcs-hg.spec @@ -205,6 +205,8 @@ function testBookmarkIconWorks() { } function testBranchNameScriptingVulnerability() { + local -a POWERLEVEL9K_LEFT_PROMPT_ELEMENTS + POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(vcs) echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh chmod +x evil_script.sh @@ -212,7 +214,7 @@ function testBranchNameScriptingVulnerability() { hg add . >/dev/null hg commit -m "Initial commit" >/dev/null - assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(build_left_prompt)" + assertEquals "%K{002} %F{000} \$(./evil_script.sh) %k%F{002}%f " "$(build_left_prompt)" } source shunit2/shunit2 From 24818eff794f32fea5a87a9d4c9e042534da272d Mon Sep 17 00:00:00 2001 From: Dominik Ritter Date: Thu, 15 Nov 2018 13:12:37 +0100 Subject: [PATCH 3/4] Fix test The branch name must not be expanded. --- test/segments/vcs-git.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/segments/vcs-git.spec b/test/segments/vcs-git.spec index bb2aef5b..f5777a1e 100755 --- a/test/segments/vcs-git.spec +++ b/test/segments/vcs-git.spec @@ -496,7 +496,7 @@ function testBranchNameScriptingVulnerability() { echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh chmod +x evil_script.sh - git checkout -b "$(./evil_script.sh)" 2>/dev/null + git checkout -b '$(./evil_script.sh)' 2>/dev/null git add . 2>/dev/null git commit -m "Initial commit" >/dev/null From a72a82b4b1641cde227a403add758d49c2782914 Mon Sep 17 00:00:00 2001 From: Dominik Ritter Date: Thu, 15 Nov 2018 13:17:40 +0100 Subject: [PATCH 4/4] Fix tests --- test/segments/vcs-git.spec | 2 +- test/segments/vcs-hg.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/segments/vcs-git.spec b/test/segments/vcs-git.spec index f5777a1e..ab2962c8 100755 --- a/test/segments/vcs-git.spec +++ b/test/segments/vcs-git.spec @@ -500,7 +500,7 @@ function testBranchNameScriptingVulnerability() { git add . 2>/dev/null git commit -m "Initial commit" >/dev/null - assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(build_left_prompt)" + assertEquals '%K{002} %F{000} $(./evil_script.sh) %k%F{002}%f ' "$(build_left_prompt)" } source shunit2/shunit2 diff --git a/test/segments/vcs-hg.spec b/test/segments/vcs-hg.spec index de7c5d38..c4289cef 100755 --- a/test/segments/vcs-hg.spec +++ b/test/segments/vcs-hg.spec @@ -214,7 +214,7 @@ function testBranchNameScriptingVulnerability() { hg add . >/dev/null hg commit -m "Initial commit" >/dev/null - assertEquals "%K{002} %F{000} \$(./evil_script.sh) %k%F{002}%f " "$(build_left_prompt)" + assertEquals '%K{002} %F{000} $(./evil_script.sh) %k%F{002}%f ' "$(build_left_prompt)" } source shunit2/shunit2