aboutsummaryrefslogtreecommitdiffstats
path: root/config/modules_test.go
diff options
context:
space:
mode:
authorJoseph Vusich <jvusich@amazon.com>2018-05-30 02:42:46 +0000
committerJoseph Vusich <jvusich@amazon.com>2018-05-30 17:42:09 +0000
commit79b7f24160029966238b04dd41f69add0741a1d2 (patch)
treeba6f5db1fc1ebbe478e46b166ef65531842795ee /config/modules_test.go
parent57570e84f8c5739f0f4a59387493e590e709dde9 (diff)
downloadgo-git-79b7f24160029966238b04dd41f69add0741a1d2.tar.gz
config: modules, Ignore submodules with dotdot '..' path components. Fixes CVE-2018-11235
References: * https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/ * https://security-tracker.debian.org/tracker/CVE-2018-11235 * https://github.com/git/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44 Signed-off-by: Joseph Vusich <jvusich@amazon.com>
Diffstat (limited to 'config/modules_test.go')
-rw-r--r--config/modules_test.go26
1 files changed, 26 insertions, 0 deletions
diff --git a/config/modules_test.go b/config/modules_test.go
index 36cd93f..8e10d70 100644
--- a/config/modules_test.go
+++ b/config/modules_test.go
@@ -11,6 +11,29 @@ func (s *ModulesSuite) TestValidateMissingURL(c *C) {
c.Assert(m.Validate(), Equals, ErrModuleEmptyURL)
}
+func (s *ModulesSuite) TestValidateBadPath(c *C) {
+ input := []string{
+ `..`,
+ `../`,
+ `../bar`,
+
+ `/..`,
+ `/../bar`,
+
+ `foo/..`,
+ `foo/../`,
+ `foo/../bar`,
+ }
+
+ for _, p := range input {
+ m := &Submodule{
+ Path: p,
+ URL: "https://example.com/",
+ }
+ c.Assert(m.Validate(), Equals, ErrModuleBadPath)
+ }
+}
+
func (s *ModulesSuite) TestValidateMissingName(c *C) {
m := &Submodule{URL: "bar"}
c.Assert(m.Validate(), Equals, ErrModuleEmptyPath)
@@ -39,6 +62,9 @@ func (s *ModulesSuite) TestUnmarshall(c *C) {
path = foo/bar
url = https://github.com/foo/bar.git
branch = dev
+[submodule "suspicious"]
+ path = ../../foo/bar
+ url = https://github.com/foo/bar.git
`)
cfg := NewModules()