Add a few tests for the SCM module.

In particular, test to see if we can pass a branch name with shell characters, and get MBS to inadvertently execute malicious code. The test shows that doing this in a straightforward way is not possible and should guard against any future regressions. Fixes #329.
2026-04-04 19:28:49 +08:00 · 2017-02-20 09:25:00 -05:00
parent 0c441bbcd4
commit 2e6e153660
1 changed files with 67 additions and 0 deletions
--- a/tests/test_scm.py
+++ b/tests/test_scm.py
@@ -0,0 +1,67 @@
+# Copyright (c) 2017  Red Hat, Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#
+# Written by Ralph Bean <rbean@redhat.com>
+
+import os
+import shutil
+import tempfile
+
+import unittest
+
+import module_build_service.scm
+
+this_repo_path = 'file://' + os.path.abspath(os.path.dirname(__file__) + "/..")
+
+
+class TestSCMModule(unittest.TestCase):
+
+    def setUp(self):
+        self.tempdir = tempfile.mkdtemp()
+        self.repodir = self.tempdir + '/module-build-service'
+
+    def tearDown(self):
+        if os.path.exists(self.tempdir):
+            shutil.rmtree(self.tempdir)
+
+    def test_simple_local_checkout(self):
+        """ See if we can clone a local git repo. """
+        scm = module_build_service.scm.SCM(this_repo_path)
+        scm.checkout(self.tempdir)
+        files = os.listdir(self.repodir)
+        assert 'LICENSE' in files, "LICENSE not in %r" % files
+
+    def test_local_get_latest_is_sane(self):
+        """ See that a hash is returned by scm.get_latest. """
+        scm = module_build_service.scm.SCM(this_repo_path)
+        latest = scm.get_latest(branch='master')
+        error = "%r is %i chars long, not 40" % (latest, len(latest))
+        assert len(latest) == 40, error
+
+    def test_local_get_latest_unclean_input(self):
+        """ Ensure that shell characters aren't handled poorly.
+
+        https://pagure.io/fm-orchestrator/issue/329
+        """
+        scm = module_build_service.scm.SCM(this_repo_path)
+        assert scm.scheme == 'git', scm.scheme
+        fname = tempfile.mktemp(suffix='mbs-scm-test')
+        scm.get_latest(branch='master; touch %s' % fname)
+        assert not os.path.exists(fname), "%r exists!  Vulnerable." % fname