Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork937
use tempfile.TemporaryDirectory & fix clone_from_unsafe_protocol tests#1531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Thanks a lot for your contribution, it's much appreciated! |
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 15, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were markedxfail in the preceding commit.In addition, test_clone_command_injection should not be confusedwith test_clone_test_clone_from_command_injection, which passes onall platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to (when the possiblesecurity vulnerability this test checks for is *absent*) is notvalid. So this is a test bug, and it *appears* that the code undertest does not have the vulnerability being checked for.This doesn't appear to be reported as a bug, but some generalcontext about the current implementation of this test can beexamined ingitpython-developers#1531 where the last major change to it was done.When the test is fixed, that will become more clear. At that time,this commit can be reverted to remove the xfail mark.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 16, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were markedxfail in the preceding commit.Also, test_clone_command_injection should not be confused withtest_clone_from_command_injection, which passes on all platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to (when the possiblesecurity vulnerability this test checks for is *absent*) is notvalid. Although this suggest the bug may only be in the test andthat the code under test may be working on Windows, but the testdoes not establish that, for which it would need to test with apayload clearly capable of creating a file unexpected_path pointsto when run on its own. I am unsure if that is the case, giventhat the "touch" command is used.This doesn't appear to be reported as a bug, but some generalcontext about the current implementation of this test can beexamined ingitpython-developers#1531 where the last major change to it was done.When the test is fixed, that will become more clear. At that time,this commit can be reverted to remove the xfail mark.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 16, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were markedxfail in the preceding commit.Also, test_clone_command_injection should not be confused withtest_clone_from_command_injection, which passes on all platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to (when the possiblesecurity vulnerability this test checks for is *absent*) is notvalid. Although this suggest the bug may only be in the test andthat the code under test may be working on Windows, but the testdoes not establish that, for which it would need to test with apayload clearly capable of creating a file unexpected_path pointsto when run on its own. I am unsure if that is the case, giventhat the "touch" command is used.This doesn't appear to be reported as a bug, but some generalcontext about the implementation can be examined ingitpython-developers#1518 where itwas introduced, andgitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 16, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were marked xfailin the preceding commit.Also, test_clone_command_injection should not be confused withtest_clone_from_command_injection, which passes on all platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to -- when the possiblesecurity vulnerability this test checks for is absent -- is notvalid. This suggests the bug may only be in the test and that thecode under test may be working on Windows. But the test does notestablish that, for which it would need to test with a payloadclearly capable of creating the file unexpected_path refers to whenrun on its own. (The "\" characters in the path seem to be treatedas escape characters rather than literally. Also, "touch" is not anative Windows command, and the "touch" command in Git for Windowsmaps disallowed occurrences of ":" in filenames to a separate codepoint in the Private Use Area of the Basic Multilingual Plane.)This doesn't currently seem to be reported as a bug, but somegeneral context about the implementation can be examined ingitpython-developers#1518where it was introduced, andgitpython-developers#1531 where it was modified.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull requestNov 16, 2023
This other GitCommandError on Windows is not related toIndexFile.from_tree whose 8 related failing tests were marked xfailin the preceding commit.Also, test_clone_command_injection should not be confused withtest_clone_from_command_injection, which passes on all platforms.The problem here appears to be that, on Windows, the path of thedirectory GitPython is intended to clone to -- when the possiblesecurity vulnerability this test checks for is absent -- is notvalid. This suggests the bug may only be in the test and that thecode under test may be working on Windows. But the test does notestablish that, for which it would need to test with a payloadclearly capable of creating the file unexpected_path refers to whenrun on its own.This doesn't currently seem to be reported as a bug, but somegeneral context about the implementation can be examined ingitpython-developers#1518where it was introduced, andgitpython-developers#1531 where it was modified.
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
tempfile.TemporaryDirectory()instead oftempfile.mkdtemp()to not leave temporary files behind (though that still happens in some other tests that are harder to fix);/tmp/pwnw/{tmp_file};tmp_dir / "repo"instead oftmp_dir, sincetmp_dir / "pwn"will never exist afterwards otherwise;ext::shthat actually allows the protocol, to ensure we're not missing anything in the other tests.