mirror
/
c9-core
kopia lustrzana https://github.com/c9/core
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Merge pull request +11427 from c9/fix-issue-11379-git-urls 

fixes +11379 we dont allow dangerous shell chars in scm urls ever
smf-sdk
Matthijs van Henten 2016-01-06 12:02:25 +01:00
rodzic 92dace1fdc ad867d45c1
commit 017e7630ed
2 zmienionych plików z 97 dodań i 44 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

28
node_modules/c9/scm_url_parse.js wygenerowano vendored
Wyświetl plik

@ -10,7 +10,31 @@ define(function(require, exports, module) {
};
var defaultProvider = "unknown";
/**
* Checks if there are unexpected (dangerous) characters in the url
*
* Source:
*
* http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html
*
* The application shall quote the following characters if they are to represent themselves:
*
* | & ; < > ( ) $ ` \ " ' <space> <tab> <newline>
*
* and the following may need to be quoted under certain circumstances. That is, these characters may be special depending on conditions described elsewhere in this volume of IEEE Std 1003.1-2001:
*
* * ? [ # ˜ = %
*/
function containsDangerousShellCharacters(url){
return /[\s;&|><*?`$(){}[\]!#]/.test(url);
}
module.exports = function(url) {
// scm urls cannot contain any of these
if (containsDangerousShellCharacters(url))
return;
var m = url.match(/^(git)@([\w\.\d\-\_]+)(?:\/|:)([\w\.\d\-\_\/]+)/);
if (m) {
return {
@ -48,6 +72,10 @@ define(function(require, exports, module) {
default:
scm = parsed.pathname.match(/\.git$/) ? "git": "hg";
}
return {
protocol: parsed.protocol,
scm: scm,

113
node_modules/c9/scm_url_parse_test.js wygenerowano vendored
Wyświetl plik

@ -1,4 +1,5 @@
#!/usr/bin/env node
/*global describe it before after beforeEach afterEach */
"use strict";
@ -11,51 +12,51 @@ require("amd-loader");
var assert = require("assert");
var parse = require("./scm_url_parse");
describe(__filename, function(){
describe(__filename, function() {
describe("#parse", function() {
it("should parse ssh url", function(done) {
var url = parse("git@github.com:fjakobs/lispjs.git");
assert.equal(url.scm, "git");
assert.equal(url.protocol, "ssh:");
assert.equal(url.auth, "git");
assert.equal(url.hostname, "github.com");
assert.equal(url.pathname, "fjakobs/lispjs.git");
done();
}),
it("should parse git url", function(done) {
var url = parse("git://github.com/fjakobs/lispjs.git");
assert.equal(url.scm, "git");
assert.equal(url.protocol, "git:");
assert.equal(url.hostname, "github.com");
assert.equal(url.pathname, "fjakobs/lispjs.git");
done();
}),
it("should parse https url", function(done) {
var url = parse("https://fjakobs@github.com/fjakobs/lispjs.git");
assert.equal(url.protocol, "https:");
assert.equal(url.scm, "git");
assert.equal(url.auth, "fjakobs");
assert.equal(url.hostname, "github.com");
assert.equal(url.pathname, "fjakobs/lispjs.git");
done();
}),
it("should parse Bitbucket url", function(done) {
var url = parse("git@bitbucket.org/Richard/expressling.git");
assert.equal(url.protocol, "ssh:");
assert.equal(url.scm, "git");
assert.equal(url.auth, "git");
assert.equal(url.hostname, "bitbucket.org");
assert.equal(url.pathname, "Richard/expressling.git");
done();
});
var url = parse("git@github.com:fjakobs/lispjs.git");
assert.equal(url.scm, "git");
assert.equal(url.protocol, "ssh:");
assert.equal(url.auth, "git");
assert.equal(url.hostname, "github.com");
assert.equal(url.pathname, "fjakobs/lispjs.git");
done();
}),
it("should parse git url", function(done) {
var url = parse("git://github.com/fjakobs/lispjs.git");
assert.equal(url.scm, "git");
assert.equal(url.protocol, "git:");
assert.equal(url.hostname, "github.com");
assert.equal(url.pathname, "fjakobs/lispjs.git");
done();
}),
it("should parse https url", function(done) {
var url = parse("https://fjakobs@github.com/fjakobs/lispjs.git");
assert.equal(url.protocol, "https:");
assert.equal(url.scm, "git");
assert.equal(url.auth, "fjakobs");
assert.equal(url.hostname, "github.com");
assert.equal(url.pathname, "fjakobs/lispjs.git");
done();
}),
it("should parse Bitbucket url", function(done) {
var url = parse("git@bitbucket.org/Richard/expressling.git");
assert.equal(url.protocol, "ssh:");
assert.equal(url.scm, "git");
assert.equal(url.auth, "git");
assert.equal(url.hostname, "bitbucket.org");
assert.equal(url.pathname, "Richard/expressling.git");
done();
});
it("should parse Bitbucket hg ssh url", function(done) {
var url = parse("ssh://hg@bitbucket.org/fjakobs/juhu");
assert.equal(url.protocol, "ssh:");
@ -64,7 +65,7 @@ describe(__filename, function(){
assert.equal(url.pathname, "fjakobs/juhu");
done();
});
it("should parse github URL without .git", function(done) {
var url = parse("https://github.com/arunoda/meteor-streams");
assert.equal(url.protocol, "https:");
@ -74,6 +75,30 @@ describe(__filename, function(){
assert.equal(url.pathname, "arunoda/meteor-streams");
done();
});
it("Should refuse a git url with dangerous shell chars in it", function() {
var validUrls = [
"https://github.com/arunoda/meteor-streams",
"https://fjakobs@github.com/fjakobs/lispjs.git",
"ssh://hg@bitbucket.org/fjakobs/juhu",
"git@bitbucket.org/Richard/expressling.git",
"git://github.com/fjakobs/lispjs.git",
"git@github.com:fjakobs/lispjs.git",
];
var exploits = [
"&:(){ :|:& };:",
"&rm -rf /",
";uname-a"
];
validUrls.forEach(function(url) {
assert.ok(parse(url), "This url is normally valid: " + url);
exploits.forEach(function(exploit) {
assert.equal(parse(url + exploit), undefined, "But not with an exploit: " + url + exploit);
});
});
});
});
});