# HG changeset patch
# User Mateusz Kwapich <mitrandir@fb.com>
# Date 1458692847 25200
#      Tue Mar 22 17:27:27 2016 -0700
# Branch stable
# Node ID ae279d4a19e9683214cbd1fe8298cf0b50571432
# Parent  80cac1de6aea89f9d068abb09b0ea58c70bd7130
convert: test for shell injection in git calls (SEC)

CVE-2016-3069 (5/5)

Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.

--- mercurial-2.2.2.orig/tests/test-convert-git.t
+++ mercurial-2.2.2/tests/test-convert-git.t
@@ -289,5 +289,22 @@ damage git repository and convert again
   > EOF
   $ python damage.py
   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | \
   >     grep 'abort:' | sed 's/abort:.*/abort:/g'
   abort:
+
+test for escaping the repo name (CVE-2016-3069)
+
+  $ git init '`echo pwned >COMMAND-INJECTION`'
+  Initialized empty Git repository in $TESTTMP/`echo pwned >COMMAND-INJECTION`/.git/
+  $ cd '`echo pwned >COMMAND-INJECTION`'
+  $ git commit -q --allow-empty -m 'empty'
+  $ cd ..
+  $ hg convert '`echo pwned >COMMAND-INJECTION`' 'converted'
+  initializing destination converted repository
+  scanning source...
+  sorting...
+  converting...
+  0 empty
+  updating bookmarks
+  $ test -f COMMAND-INJECTION
+  [1]
