aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2020-06-19 11:59:33 +0200
committerAndreas Schneider <asn@cryptomilk.org>2020-06-22 13:54:07 +0200
commit1694606e12d8950b003ff86248883732ef05e00c (patch)
tree8a34120becf89f7aac0886a2f1d2f2dd5bff5688
parenta76badf77af9ff92164fd97327d63cc731d753ef (diff)
downloadlibssh-1694606e12d8950b003ff86248883732ef05e00c.tar.gz
libssh-1694606e12d8950b003ff86248883732ef05e00c.tar.xz
libssh-1694606e12d8950b003ff86248883732ef05e00c.zip
tests: Add test for CVE-2019-14889
The test checks if a command appended to the file path is not executed. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--tests/client/torture_scp.c84
1 files changed, 84 insertions, 0 deletions
diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c
index 8f080af3..59a00bae 100644
--- a/tests/client/torture_scp.c
+++ b/tests/client/torture_scp.c
@@ -37,6 +37,7 @@
#define BUF_SIZE 1024
#define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"
+#define ALICE_HOME BINARYDIR "/tests/home/alice"
struct scp_st {
struct torture_state *s;
@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state)
fclose(file);
}
+static void torture_scp_upload_appended_command(void **state)
+{
+ struct scp_st *ts = NULL;
+ struct torture_state *s = NULL;
+
+ ssh_session session = NULL;
+ ssh_scp scp = NULL;
+
+ FILE *file = NULL;
+
+ char buf[1024];
+ char *rs = NULL;
+ int rc;
+
+ assert_non_null(state);
+ ts = *state;
+
+ assert_non_null(ts->s);
+ s = ts->s;
+
+ session = s->ssh.session;
+ assert_non_null(session);
+
+ assert_non_null(ts->tmp_dir_basename);
+ assert_non_null(ts->tmp_dir);
+
+ /* Upload a file path with a command appended */
+
+ /* Append a command to the file path */
+ snprintf(buf, BUF_SIZE, "%s"
+ "/;touch hack",
+ ts->tmp_dir);
+
+ /* When writing the file_name must be the directory name */
+ scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,
+ buf);
+ assert_non_null(scp);
+
+ rc = ssh_scp_init(scp);
+ assert_ssh_return_code(session, rc);
+
+ /* Push directory where the new file will be copied */
+ rc = ssh_scp_push_directory(scp, ";touch hack", 0755);
+ assert_ssh_return_code(session, rc);
+
+ /* Try to push file */
+ rc = ssh_scp_push_file(scp, "original", 8, 0644);
+ assert_ssh_return_code(session, rc);
+
+ rc = ssh_scp_write(scp, "original", 8);
+ assert_ssh_return_code(session, rc);
+
+ /* Leave the directory */
+ rc = ssh_scp_leave_directory(scp);
+ assert_ssh_return_code(session, rc);
+
+ /* Cleanup */
+ ssh_scp_close(scp);
+ ssh_scp_free(scp);
+
+ /* Make sure the command was not executed */
+ snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");
+ file = fopen(buf, "r");
+ assert_null(file);
+
+ /* Open the file and check content */
+ snprintf(buf, BUF_SIZE, "%s"
+ "/;touch hack/original",
+ ts->tmp_dir);
+
+ file = fopen(buf, "r");
+ assert_non_null(file);
+
+ rs = fgets(buf, 1024, file);
+ assert_non_null(rs);
+ assert_string_equal(buf, "original");
+
+ fclose(file);
+}
+
int torture_run_tests(void)
{
int rc;
@@ -559,6 +640,9 @@ int torture_run_tests(void)
cmocka_unit_test_setup_teardown(torture_scp_upload_newline,
session_setup,
session_teardown),
+ cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,
+ session_setup,
+ session_teardown),
};
ssh_init();