diff options
| author | Máximo Cuadros <mcuadros@gmail.com> | 2018-06-06 10:08:40 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-06-06 10:08:40 +0200 |
| commit | d33d3efff3e5aa7ac1be2c97f4dd1ac2190f00e2 (patch) | |
| tree | d17ac93f9f75d81410389e255af854f7b2aae006 /config/modules_test.go | |
| parent | ae788cfabbc02c2f836f5d8c3cc18021a97e9a88 (diff) | |
| parent | d87faeca21e6f416e88ae3d24dae58845d7487d4 (diff) | |
| download | go-git-d33d3efff3e5aa7ac1be2c97f4dd1ac2190f00e2.tar.gz | |
Merge pull request #848 from josephvusich/fix/cve-2018-11235
config: modules, worktree: Submodule fixes for CVE-2018-11235
Diffstat (limited to 'config/modules_test.go')
| -rw-r--r-- | config/modules_test.go | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/config/modules_test.go b/config/modules_test.go index 36cd93f..8e10d70 100644 --- a/config/modules_test.go +++ b/config/modules_test.go @@ -11,6 +11,29 @@ func (s *ModulesSuite) TestValidateMissingURL(c *C) { c.Assert(m.Validate(), Equals, ErrModuleEmptyURL) } +func (s *ModulesSuite) TestValidateBadPath(c *C) { + input := []string{ + `..`, + `../`, + `../bar`, + + `/..`, + `/../bar`, + + `foo/..`, + `foo/../`, + `foo/../bar`, + } + + for _, p := range input { + m := &Submodule{ + Path: p, + URL: "https://example.com/", + } + c.Assert(m.Validate(), Equals, ErrModuleBadPath) + } +} + func (s *ModulesSuite) TestValidateMissingName(c *C) { m := &Submodule{URL: "bar"} c.Assert(m.Validate(), Equals, ErrModuleEmptyPath) @@ -39,6 +62,9 @@ func (s *ModulesSuite) TestUnmarshall(c *C) { path = foo/bar url = https://github.com/foo/bar.git branch = dev +[submodule "suspicious"] + path = ../../foo/bar + url = https://github.com/foo/bar.git `) cfg := NewModules() |