use tempfile.TemporaryDirectory & fix clone_from_unsafe_protocol tests #1531
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks a lot for your contribution, it's much appreciated! |
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 15, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. In addition, test_clone_command_injection should not be confused with test_clone_test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to (when the possible security vulnerability this test checks for is *absent*) is not valid. So this is a test bug, and it *appears* that the code under test does not have the vulnerability being checked for. This doesn't appear to be reported as a bug, but some general context about the current implementation of this test can be examined in gitpython-developers#1531 where the last major change to it was done. When the test is fixed, that will become more clear. At that time, this commit can be reverted to remove the xfail mark.
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to (when the possible security vulnerability this test checks for is *absent*) is not valid. Although this suggest the bug may only be in the test and that the code under test may be working on Windows, but the test does not establish that, for which it would need to test with a payload clearly capable of creating a file unexpected_path points to when run on its own. I am unsure if that is the case, given that the "touch" command is used. This doesn't appear to be reported as a bug, but some general context about the current implementation of this test can be examined in gitpython-developers#1531 where the last major change to it was done. When the test is fixed, that will become more clear. At that time, this commit can be reverted to remove the xfail mark.
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to (when the possible security vulnerability this test checks for is *absent*) is not valid. Although this suggest the bug may only be in the test and that the code under test may be working on Windows, but the test does not establish that, for which it would need to test with a payload clearly capable of creating a file unexpected_path points to when run on its own. I am unsure if that is the case, given that the "touch" command is used. This doesn't appear to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. (The "\" characters in the path seem to be treated as escape characters rather than literally. Also, "touch" is not a native Windows command, and the "touch" command in Git for Windows maps disallowed occurrences of ":" in filenames to a separate code point in the Private Use Area of the Basic Multilingual Plane.) This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
EliahKagan
added a commit
to EliahKagan/GitPython
that referenced
this pull request
Nov 16, 2023
This other GitCommandError on Windows is not related to IndexFile.from_tree whose 8 related failing tests were marked xfail in the preceding commit. Also, test_clone_command_injection should not be confused with test_clone_from_command_injection, which passes on all platforms. The problem here appears to be that, on Windows, the path of the directory GitPython is intended to clone to -- when the possible security vulnerability this test checks for is absent -- is not valid. This suggests the bug may only be in the test and that the code under test may be working on Windows. But the test does not establish that, for which it would need to test with a payload clearly capable of creating the file unexpected_path refers to when run on its own. This doesn't currently seem to be reported as a bug, but some general context about the implementation can be examined in gitpython-developers#1518 where it was introduced, and gitpython-developers#1531 where it was modified.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
tempfile.TemporaryDirectory()instead oftempfile.mkdtemp()to not leave temporary files behind (though that still happens in some other tests that are harder to fix);/tmp/pwnw/{tmp_file};tmp_dir / "repo"instead oftmp_dir, sincetmp_dir / "pwn"will never exist afterwards otherwise;ext::shthat actually allows the protocol, to ensure we're not missing anything in the other tests.