Merge pull request #1066 from dritter/add_vcs_vulnerability_tests

Add tests for branch name vulnerability
Powerlevel9k · Nov 16, 2018 · 1a82717 · 1a82717
2 parents b430a21 + b8b0bb4
commit 1a82717
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/test/segments/vcs_git.spec b/test/segments/vcs_git.spec
@@ -613,6 +613,19 @@ function testDetectingUntrackedFilesInCleanSubdirectoryWorks() {
   assertEquals "%K{002} %F{000}? %f%F{000} master ? %k%F{002}%f " "$(__p9k_build_left_prompt)"
 }
 
+function testBranchNameScriptingVulnerability() {
+  local -a P9K_LEFT_PROMPT_ELEMENTS
+  P9K_LEFT_PROMPT_ELEMENTS=(vcs)
+  echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh
+  chmod +x evil_script.sh
+
+  git checkout -b '$(./evil_script.sh)' 2>/dev/null
+  git add . 2>/dev/null
+  git commit -m "Initial commit" >/dev/null
+
+  assertEquals '%K{002} %F{000} $(./evil_script.sh) %k%F{002}%f ' "$(__p9k_build_left_prompt)"
+}
+
 function testGitSubmoduleWorks() {
   local -a P9K_LEFT_PROMPT_ELEMENTS
   P9K_LEFT_PROMPT_ELEMENTS=(vcs)

diff --git a/test/segments/vcs_hg.spec b/test/segments/vcs_hg.spec
@@ -207,4 +207,17 @@ function testBookmarkIconWorks() {
   assertEquals "%K{002} %F{000} default Binitial %k%F{002}%f " "$(__p9k_build_left_prompt)"
 }
 
+function testBranchNameScriptingVulnerability() {
+  local -a P9K_LEFT_PROMPT_ELEMENTS
+  P9K_LEFT_PROMPT_ELEMENTS=(vcs)
+  echo "#!/bin/sh\n\necho 'hacked'\n" > evil_script.sh
+  chmod +x evil_script.sh
+
+  hg branch '$(./evil_script.sh)' >/dev/null
+  hg add . >/dev/null
+  hg commit -m "Initial commit" >/dev/null
+
+  assertEquals '%K{002} %F{000} $(./evil_script.sh) %k%F{002}%f ' "$(__p9k_build_left_prompt)"
+}
+
 source shunit2/shunit2