From 1694606e12d8950b003ff86248883732ef05e00c Mon Sep 17 00:00:00 2001

From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Date: Fri, 19 Jun 2020 11:59:33 +0200

Subject: [PATCH] tests: Add test for CVE-2019-14889

The test checks if a command appended to the file path is not executed.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

---

 tests/client/torture_scp.c | 84 ++++++++++++++++++++++++++++++++++++++

 1 file changed, 84 insertions(+)

diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c

index 8f080af3..59a00bae 100644

--- a/tests/client/torture_scp.c

+++ b/tests/client/torture_scp.c

@@ -37,6 +37,7 @@

 #define BUF_SIZE 1024

 #define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"

+#define ALICE_HOME BINARYDIR "/tests/home/alice"

 struct scp_st {

     struct torture_state *s;

@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state)

     fclose(file);

 }

+static void torture_scp_upload_appended_command(void **state)

+{

+    struct scp_st *ts = NULL;

+    struct torture_state *s = NULL;

+

+    ssh_session session = NULL;

+    ssh_scp scp = NULL;

+

+    FILE *file = NULL;

+

+    char buf[1024];

+    char *rs = NULL;

+    int rc;

+

+    assert_non_null(state);

+    ts = *state;

+

+    assert_non_null(ts->s);

+    s = ts->s;

+

+    session = s->ssh.session;

+    assert_non_null(session);

+

+    assert_non_null(ts->tmp_dir_basename);

+    assert_non_null(ts->tmp_dir);

+

+    /* Upload a file path with a command appended */

+

+    /* Append a command to the file path */

+    snprintf(buf, BUF_SIZE, "%s"

+             "/;touch hack",

+             ts->tmp_dir);

+

+    /* When writing the file_name must be the directory name */

+    scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,

+                      buf);

+    assert_non_null(scp);

+

+    rc = ssh_scp_init(scp);

+    assert_ssh_return_code(session, rc);

+

+    /* Push directory where the new file will be copied */

+    rc = ssh_scp_push_directory(scp, ";touch hack", 0755);

+    assert_ssh_return_code(session, rc);

+

+    /* Try to push file */

+    rc = ssh_scp_push_file(scp, "original", 8, 0644);

+    assert_ssh_return_code(session, rc);

+

+    rc = ssh_scp_write(scp, "original", 8);

+    assert_ssh_return_code(session, rc);

+

+    /* Leave the directory */

+    rc = ssh_scp_leave_directory(scp);

+    assert_ssh_return_code(session, rc);

+

+    /* Cleanup */

+    ssh_scp_close(scp);

+    ssh_scp_free(scp);

+

+    /* Make sure the command was not executed */

+    snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");

+    file = fopen(buf, "r");

+    assert_null(file);

+

+    /* Open the file and check content */

+    snprintf(buf, BUF_SIZE, "%s"

+             "/;touch hack/original",

+             ts->tmp_dir);

+

+    file = fopen(buf, "r");

+    assert_non_null(file);

+

+    rs = fgets(buf, 1024, file);

+    assert_non_null(rs);

+    assert_string_equal(buf, "original");

+

+    fclose(file);

+}

+

 int torture_run_tests(void)

 {

     int rc;

@@ -559,6 +640,9 @@ int torture_run_tests(void)

         cmocka_unit_test_setup_teardown(torture_scp_upload_newline,

                                         session_setup,

                                         session_teardown),

+        cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,

+                                        session_setup,

+                                        session_teardown),

     };

     ssh_init();

-- 

2.26.2