diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-11-04 17:06:26 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-12-09 16:38:37 +0100 |
commit | 95eb071c22814deade9675c221c9eb74b95c4d31 (patch) | |
tree | 4e6265c54a9b98acd0f2719b9a414daba10ac3cd | |
parent | d117de188f3adc89e2c5f371985b1cf538c2f1fb (diff) | |
download | libssh-95eb071c22814deade9675c221c9eb74b95c4d31.tar.gz libssh-95eb071c22814deade9675c221c9eb74b95c4d31.tar.xz libssh-95eb071c22814deade9675c221c9eb74b95c4d31.zip |
tests: Add a test for SCP with protocol message injection
Test if the file name is correctly escaped to avoid protocol message
injection.
Fixes T189
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit cc9db5b56c9775a599de1288206c941c4c40aa2a)
-rw-r--r-- | tests/client/torture_scp.c | 73 |
1 files changed, 72 insertions, 1 deletions
diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c index b20ed34a..2784157c 100644 --- a/tests/client/torture_scp.c +++ b/tests/client/torture_scp.c @@ -469,6 +469,74 @@ static void torture_scp_download_recursive(void **state) ssh_scp_free(scp); } +static void torture_scp_upload_newline(void **state) +{ + struct scp_st *ts = NULL; + struct torture_state *s = NULL; + + ssh_session session = NULL; + ssh_scp scp = NULL; + + FILE *file = NULL; + + char buf[1024]; + + int rc; + + assert_non_null(state); + ts = *state; + + assert_non_null(ts->s); + s = ts->s; + + session = s->ssh.session; + assert_non_null(session); + + assert_non_null(ts->tmp_dir_basename); + assert_non_null(ts->tmp_dir); + + /* Upload recursively trying to inject protocol messages */ + + /* When writing the file_name must be the directory name */ + scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE, + ts->tmp_dir_basename); + assert_non_null(scp); + + rc = ssh_scp_init(scp); + assert_ssh_return_code(session, rc); + + /* Push directory where the new file will be copied */ + rc = ssh_scp_push_directory(scp, "test_inject", 0755); + assert_ssh_return_code(session, rc); + + /* Try to push file with injected protocol messages */ + rc = ssh_scp_push_file(scp, "original\nreplacedC0777 8 injected", 8, 0644); + assert_ssh_return_code(session, rc); + + rc = ssh_scp_write(scp, "original", 8); + assert_ssh_return_code(session, rc); + + /* Leave the directory */ + rc = ssh_scp_leave_directory(scp); + assert_ssh_return_code(session, rc); + + /* Cleanup */ + ssh_scp_close(scp); + ssh_scp_free(scp); + + /* Open the file and check content */ + snprintf(buf, BUF_SIZE, "%s/test_inject/" + "original\\nreplacedC0777 8 injected", + ts->tmp_dir); + file = fopen(buf, "r"); + assert_non_null(file); + + fgets(buf, 1024, file); + assert_string_equal(buf, "original"); + + fclose(file); +} + int torture_run_tests(void) { int rc; @@ -484,7 +552,10 @@ int torture_run_tests(void) session_teardown), cmocka_unit_test_setup_teardown(torture_scp_download_recursive, session_setup, - session_teardown) + session_teardown), + cmocka_unit_test_setup_teardown(torture_scp_upload_newline, + session_setup, + session_teardown), }; ssh_init(); |