From: john at keeping.me.uk (John Keeping)
Subject: [PATCH] tests: Make sure that git does not access $HOME
Date: Mon, 8 Apr 2013 21:32:53 +0100 [thread overview]
Message-ID: <20130408203253.GD2222@serenity.lan> (raw)
In-Reply-To: <1365452412-24148-1-git-send-email-Jason@zx2c4.com>
On Mon, Apr 08, 2013 at 10:20:12PM +0200, Jason A. Donenfeld wrote:
> From: "Jason A. Donenfeld" <Jason at zx2c4.com>
>
> With the latest changes to prevent git from accessing configuration
> files that it should not, it's important to be sure that we won't
> have further breakage in the future.
>
> Use strace to implement a test to make sure cgit does not access()
> anything built from $HOME.
>
> Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
> ---
> tests/t0109-gitconfig.sh | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
> create mode 100755 tests/t0109-gitconfig.sh
>
> diff --git a/tests/t0109-gitconfig.sh b/tests/t0109-gitconfig.sh
> new file mode 100755
> index 0000000..b68866f
> --- /dev/null
> +++ b/tests/t0109-gitconfig.sh
> @@ -0,0 +1,19 @@
> +#!/bin/sh
> +
> +test_description='Ensure that git does not access $HOME'
> +. ./setup.sh
> +
> +test -n "$(which strace 2>/dev/null)" || {
> + skip_all='Skipping access validation tests: strace not found'
> + test_done
> + exit
> +}
> +
> +test_expect_success 'no access to $HOME' '
> + non_existant_path="/path/to/some/place/that/does/not/possibly/exist/$(date +%N)"
> + strace -E HOME="$non_existant_path" -E CGIT_CONFIG="$PWD/cgitrc" \
> + -E QUERY_STRING="url=foo/commit" -e access -f cgit 2>&1 >/dev/null | \
Can we avoid a pipe here and use a temporary file instead? In fact,
using "-o filename" to strace seems like the best way to make sure we
get exactly the right output.
It would also be a bit more readable like this:
strace -E HOME="$non_existant_path" \
-E CGIT_CONFIG="$PWD/cgitrc" \
-E QUERY_STRING="url=foo/commit" \
-e access \
-o strace.out \
-f cgit &&
> + test_must_fail grep "$non_existant_path"
> +'
> +
> +test_done
> --
> 1.8.1.5
next prev parent reply other threads:[~2013-04-08 20:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-08 20:20 Jason
2013-04-08 20:22 ` Jason
2013-04-08 20:32 ` john [this message]
2013-04-08 20:35 ` Jason
2013-04-08 20:38 ` john
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130408203253.GD2222@serenity.lan \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).