From 4aaca79ed12d327328f7650b737cb47e5ed83fa7 Mon Sep 17 00:00:00 2001 From: Justin Wernick Date: Mon, 20 Mar 2023 16:39:21 +0200 Subject: Add a failing test for the limiting where git repos can be on the server --- tests/server_shell.rs | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) (limited to 'tests') diff --git a/tests/server_shell.rs b/tests/server_shell.rs index ff3e1a4..c87fb53 100644 --- a/tests/server_shell.rs +++ b/tests/server_shell.rs @@ -1,5 +1,5 @@ use anyhow::Result; -use assert_cmd::{cargo::cargo_bin, Command}; +use assert_cmd::{assert::Assert, cargo::cargo_bin, Command}; use get_port::{tcp::TcpPort, Ops, Range}; use once_cell::sync::Lazy; use rexpect::session::{spawn_command, PtySession}; @@ -7,6 +7,8 @@ use std::{fs, io, path, sync::Mutex}; use tempfile::TempDir; use thiserror::Error; +const GIT_SSH_COMMAND: &str = "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + struct TestContext { workdir: TempDir, ssh_port: u16, @@ -120,6 +122,8 @@ fn connect_to_ssh_server_interactively(c: &TestContext) -> Result { &c.ssh_port.to_string(), "shukkie@localhost", "-o", + "UserKnownHostsFile=/dev/null", + "-o", "StrictHostKeyChecking=false", ]); command.current_dir(&c.workdir); @@ -149,19 +153,20 @@ fn shows_a_prompt() -> Result<()> { Ok(()) } -fn clone_git_repo(c: &TestContext, repo_name: &str) { +fn clone_git_repo(c: &TestContext, path: &str) -> Assert { Command::new("git") .args([ "clone", - &format!( - "ssh://shukkie@localhost:{}/home/shukkie/git/{}.git", - c.ssh_port, repo_name - ), + &format!("ssh://shukkie@localhost:{}{}", c.ssh_port, path), ]) + .env("GIT_SSH_COMMAND", GIT_SSH_COMMAND) .current_dir(&c.workdir) .timeout(std::time::Duration::from_secs(3)) .assert() - .success(); +} + +fn clone_git_repo_relative_path(c: &TestContext, repo_name: &str) -> Assert { + clone_git_repo(c, &format!("/home/shukkie/git/{}.git", repo_name)) } #[test] @@ -169,7 +174,7 @@ fn git_clone_works_with_an_empty_repo() -> Result<()> { let c = spawn_ssh_server()?; let repo_name = "my-new-clonable-repo"; make_new_repo(&c, repo_name)?; - clone_git_repo(&c, repo_name); + clone_git_repo_relative_path(&c, repo_name).success(); Ok(()) } @@ -179,7 +184,7 @@ fn git_push_works() -> Result<()> { let c = spawn_ssh_server()?; let repo_name = "my-new-pushable-repo"; make_new_repo(&c, repo_name)?; - clone_git_repo(&c, repo_name); + clone_git_repo_relative_path(&c, repo_name).success(); let repo_dir = c.workdir.as_ref().join(repo_name); @@ -201,9 +206,20 @@ fn git_push_works() -> Result<()> { Command::new("git") .args(["push", "origin"]) .current_dir(&repo_dir) + .env("GIT_SSH_COMMAND", GIT_SSH_COMMAND) .timeout(std::time::Duration::from_secs(3)) .assert() .success(); Ok(()) } + +#[test] +fn git_clone_can_not_target_repo_outside_allowed_paths() -> Result<()> { + let c = spawn_ssh_server()?; + clone_git_repo(&c, "/home/shukkie/disallowed.git") + .failure() + .stdout("Path is not accessible"); + + Ok(()) +} -- cgit v1.2.3