From 7bc5366af1abb572238aa24dfe2552aed1fab966 Mon Sep 17 00:00:00 2001 From: Dominik Ritter Date: Thu, 15 Nov 2018 01:18:46 +0100 Subject: [PATCH] Add tests for branch name vulnerability --- test/segments/vcs-git.spec | 11 +++++++++++ test/segments/vcs-hg.spec | 13 ++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/test/segments/vcs-git.spec b/test/segments/vcs-git.spec index 17a277fb..bb51766c 100755 --- a/test/segments/vcs-git.spec +++ b/test/segments/vcs-git.spec @@ -490,4 +490,15 @@ function testDetectingUntrackedFilesInCleanSubdirectoryWorks() { assertEquals "%K{002} %F{000} master ? %k%F{002}%f " "$(build_left_prompt)" } +function testBranchNameScriptingVulnerability() { + echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh + chmod +x evil_script.sh + + git checkout -b "$(./evil_script.sh)" 2>/dev/null + git add . 2>/dev/null + git commit -m "Initial commit" >/dev/null + + assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(__p9k_build_left_prompt)" +} + source shunit2/shunit2 diff --git a/test/segments/vcs-hg.spec b/test/segments/vcs-hg.spec index 2903f544..53afbaac 100755 --- a/test/segments/vcs-hg.spec +++ b/test/segments/vcs-hg.spec @@ -204,4 +204,15 @@ function testBookmarkIconWorks() { assertEquals "%K{002} %F{000} default Binitial %k%F{002}%f " "$(build_left_prompt)" } -source shunit2/shunit2 \ No newline at end of file +function testBranchNameScriptingVulnerability() { + echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh + chmod +x evil_script.sh + + hg branch '$(./evil_script.sh)' >/dev/null + hg add . >/dev/null + hg commit -m "Initial commit" >/dev/null + + assertEquals "%K{002} %F{000} %f%F{000} \$(./evil_script.sh) %k%F{002}%f " "$(build_left_prompt)" +} + +source shunit2/shunit2