Skip to content

Commit 8fcee9b

Browse files
steveukxsteveukx
committed
changeset & lint
1 parent 9545931 commit 8fcee9b

File tree

2 files changed

+43
-47
lines changed

2 files changed

+43
-47
lines changed

.changeset/pink-and-gold.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'simple-git': minor
3+
---
4+
5+
Adds vulnerability detection to prevent use of `--upload-pack` and `--receive-pack` without explicitly opting in.

simple-git/test/unit/plugin.unsafe.spec.ts

Lines changed: 38 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,20 @@
1-
import { promiseError } from "@kwsites/promise-result";
2-
import { assertExecutedCommands, assertGitError, closeWithSuccess, newSimpleGit } from "./__fixtures__";
3-
4-
describe("blockUnsafeOperationsPlugin", () => {
5-
1+
import { promiseError } from '@kwsites/promise-result';
2+
import {
3+
assertExecutedCommands,
4+
assertGitError,
5+
closeWithSuccess,
6+
newSimpleGit,
7+
} from './__fixtures__';
8+
9+
describe('blockUnsafeOperationsPlugin', () => {
610
it.each([
7-
["cmd", "--upload-pack=touch /tmp/pwn0"],
8-
["cmd", "--receive-pack=touch /tmp/pwn1"],
9-
["clone", "-u touch /tmp/pwn"]
10-
])("allows %s %s only when using override", async (cmd, option) => {
11+
['cmd', '--upload-pack=touch /tmp/pwn0'],
12+
['cmd', '--receive-pack=touch /tmp/pwn1'],
13+
['clone', '-u touch /tmp/pwn'],
14+
])('allows %s %s only when using override', async (cmd, option) => {
1115
assertGitError(
1216
await promiseError(newSimpleGit({ unsafe: {} }).raw(cmd, option)),
13-
"allowUnsafePack"
17+
'allowUnsafePack'
1418
);
1519

1620
const err = promiseError(
@@ -22,76 +26,63 @@ describe("blockUnsafeOperationsPlugin", () => {
2226
assertExecutedCommands(cmd, option);
2327
});
2428

25-
it("allows -u for non-clone commands", async () => {
29+
it('allows -u for non-clone commands', async () => {
2630
const git = newSimpleGit({ unsafe: {} });
27-
const err = promiseError(
28-
git.raw("push", "-u", "origin/main")
29-
);
31+
const err = promiseError(git.raw('push', '-u', 'origin/main'));
3032

3133
await closeWithSuccess();
3234
expect(await err).toBeUndefined();
33-
assertExecutedCommands("push", "-u", "origin/main");
35+
assertExecutedCommands('push', '-u', 'origin/main');
3436
});
3537

36-
it("blocks -u for clone command", async () => {
38+
it('blocks -u for clone command', async () => {
3739
const git = newSimpleGit({ unsafe: {} });
38-
const err = promiseError(
39-
git.clone("-u touch /tmp/pwn", "file:///tmp/zero12")
40-
);
40+
const err = promiseError(git.clone('-u touch /tmp/pwn', 'file:///tmp/zero12'));
4141

42-
assertGitError(await err, "allowUnsafePack");
42+
assertGitError(await err, 'allowUnsafePack');
4343
});
4444

45-
it("allows -u for clone command with override", async () => {
45+
it('allows -u for clone command with override', async () => {
4646
const git = newSimpleGit({ unsafe: { allowUnsafePack: true } });
47-
const err = promiseError(
48-
git.clone("-u touch /tmp/pwn", "file:///tmp/zero12")
49-
);
47+
const err = promiseError(git.clone('-u touch /tmp/pwn', 'file:///tmp/zero12'));
5048

5149
await closeWithSuccess();
5250
expect(await err).toBeUndefined();
53-
assertExecutedCommands("clone", "-u touch /tmp/pwn", "file:///tmp/zero12");
51+
assertExecutedCommands('clone', '-u touch /tmp/pwn', 'file:///tmp/zero12');
5452
});
5553

56-
it("blocks pull --upload-pack", async () => {
54+
it('blocks pull --upload-pack', async () => {
5755
const git = newSimpleGit({ unsafe: {} });
58-
const err = await promiseError(
59-
git.pull("--upload-pack=touch /tmp/pwn0", "master")
60-
);
56+
const err = await promiseError(git.pull('--upload-pack=touch /tmp/pwn0', 'master'));
6157

62-
assertGitError(err, "allowUnsafePack");
58+
assertGitError(err, 'allowUnsafePack');
6359
});
6460

65-
it("blocks push --receive-pack", async () => {
61+
it('blocks push --receive-pack', async () => {
6662
const git = newSimpleGit({ unsafe: {} });
67-
const err = await promiseError(
68-
git.push("--receive-pack=touch /tmp/pwn1", "master")
69-
);
63+
const err = await promiseError(git.push('--receive-pack=touch /tmp/pwn1', 'master'));
7064

71-
assertGitError(err, "allowUnsafePack");
65+
assertGitError(err, 'allowUnsafePack');
7266
});
7367

74-
it("blocks raw --upload-pack", async () => {
68+
it('blocks raw --upload-pack', async () => {
7569
const git = newSimpleGit({ unsafe: {} });
76-
const err = await promiseError(git.raw("pull", `--upload-pack=touch /tmp/pwn0`));
70+
const err = await promiseError(git.raw('pull', `--upload-pack=touch /tmp/pwn0`));
7771

78-
assertGitError(err, "allowUnsafePack");
72+
assertGitError(err, 'allowUnsafePack');
7973
});
8074

81-
it("blocks raw --receive-pack", async () => {
75+
it('blocks raw --receive-pack', async () => {
8276
const git = newSimpleGit({ unsafe: {} });
83-
const err = await promiseError(git.raw("push", `--receive-pack=touch /tmp/pwn1`));
77+
const err = await promiseError(git.raw('push', `--receive-pack=touch /tmp/pwn1`));
8478

85-
assertGitError(err, "allowUnsafePack");
79+
assertGitError(err, 'allowUnsafePack');
8680
});
8781

88-
it("blocks listRemote --upload-pack", async () => {
82+
it('blocks listRemote --upload-pack', async () => {
8983
const git = newSimpleGit({ unsafe: {} });
90-
const err = await promiseError(
91-
git.listRemote(["--upload-pack=touch /tmp/pwn2", "main"])
92-
);
84+
const err = await promiseError(git.listRemote(['--upload-pack=touch /tmp/pwn2', 'main']));
9385

94-
assertGitError(err, "allowUnsafePack");
86+
assertGitError(err, 'allowUnsafePack');
9587
});
96-
9788
});

0 commit comments

Comments
 (0)