-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathtest_hg.py
99 lines (74 loc) · 2.63 KB
/
test_hg.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
"""Tests for libvcs hg repos."""
import getpass
import pathlib
import textwrap
import pytest
from libvcs.shortcuts import create_repo_from_pip_url, create_repo_legacy
from libvcs.util import run, which
if not which("hg"):
pytestmark = pytest.mark.skip(reason="hg is not available")
@pytest.fixture(autouse=True, scope="session")
def hgrc(user_path: pathlib.Path):
hgrc = user_path / ".hgrc"
hgrc.write_text(
textwrap.dedent(
f"""
[ui]
username = libvcs tests <[email protected]>
merge = internal:merge
[trusted]
users = {getpass.getuser()}
"""
),
encoding="utf-8",
)
return hgrc
@pytest.fixture(autouse=True)
def hgrc_default(monkeypatch: pytest.MonkeyPatch, user_path: pathlib.Path):
monkeypatch.setenv("HOME", str(user_path))
@pytest.fixture
def hg_remote(repos_path):
"""Create a git repo with 1 commit, used as a remote."""
name = "test_hg_repo"
repo_path = repos_path / name
run(["hg", "init", name], cwd=repos_path)
testfile_filename = "testfile.test"
run(["touch", testfile_filename], cwd=repo_path)
run(["hg", "add", testfile_filename], cwd=repo_path)
run(["hg", "commit", "-m", "test file for %s" % name], cwd=repo_path)
return repo_path
def test_repo_mercurial(tmp_path: pathlib.Path, repos_path, hg_remote):
repo_name = "my_mercurial_project"
mercurial_repo = create_repo_from_pip_url(
**{
"pip_url": f"hg+file://{hg_remote}",
"repo_dir": repos_path / repo_name,
}
)
run(["hg", "init", mercurial_repo.repo_name], cwd=tmp_path)
mercurial_repo.update_repo()
test_repo_revision = run(
["hg", "parents", "--template={rev}"], cwd=repos_path / repo_name
)
assert mercurial_repo.get_revision() == test_repo_revision
def test_vulnerability_2022_03_12_command_injection(
monkeypatch: pytest.MonkeyPatch,
user_path: pathlib.Path,
tmp_path: pathlib.Path,
hg_remote,
):
"""Prevent hg aliases from executed arbitrary commands via URLs.
As of 0.11 this code path is/was only executed via .obtain(), so this only would
effect explicit invocation of .object() or update_repo() of uncloned destination.
"""
random_dir = tmp_path / "random"
random_dir.mkdir()
monkeypatch.chdir(str(random_dir))
mercurial_repo = create_repo_legacy(
url="--config=alias.clone=!touch ./HELLO", vcs="hg", repo_dir="./"
)
with pytest.raises(Exception):
mercurial_repo.update_repo()
assert not pathlib.Path(
random_dir / "HELLO"
).exists(), "Prevent command injection in hg aliases"