# is likely to be revised as part of other refactoring
}
+ -re {^ftp-upload\[[0-9]+\]: \(Test\)\
+ DEBUG: testing .+ for presence of Makefile.in} {
+ # from check_vulnerabilities via check_files
+ set A(exploit-check,check-Makefile.in) 1
+ exp_continue
+ }
+ -re {^ftp-upload\[[0-9]+\]: \(Test\)\
+ DEBUG: found Makefile.in, testing for [^\r\n]+} {
+ # from check_vulnerabilities via check_files
+ set A(exploit-check,found-Makefile.in) 1
+ exp_continue
+ }
+ -re {^ftp-upload\[[0-9]+\]: \(Test\)\
+ file rejected: [^()]+\((CVE-[0-9-]+)\)[^\r\n]+} {
+ # from check_vulnerabilities via check_files
+ set A(exploit-check-fail,$expect_out(1,string)) 1
+ exp_continue
+ }
+
+
-re {^ftp-upload\[[0-9]+\]: \(Test\)\
This signature file exists: [^\r\n]+} {
# from install_files, if target exists and replace not set
--- /dev/null
+# Tests for detecting known Automake vulnerabilities
+
+# Copyright (C) 2022 Jacob Bachmeyer
+#
+# This file is part of a testsuite for the GNU FTP upload system.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+proc check_am_cve_upload {desc fragment {log {}}} {
+ set test_case {
+ foo.tar.gz {
+ directive {
+ version 1.2
+ directory foo
+ filename foo.tar.gz
+ } dsig { good 01 1000 }
+ tar-file {
+ README README
+ Makefile.in FRAGMENT_HERE
+ } fsig { good 02 1000 }
+ }
+ }
+ lset test_case { 1 5 3 } $fragment
+
+ set log_items {
+ start "ftp-upload start message"
+ mail,addresses "outgoing mail sent"
+
+ found,foo.tar.gz.directive.asc "found directive in triplet"
+ found-triplet,foo.tar.gz.directive.asc:foo.tar.gz.sig:foo.tar.gz \
+ "found triplet"
+
+ exploit-check,check-Makefile.in "checked for Makefile.in in tarball"
+ exploit-check,found-Makefile.in "found Makefile.in in tarball"
+ }
+ if { [llength $log] > 0 } { append log_items $log }
+
+ set tenv [new_test_environment [file join test.tmp tenv]]
+
+ register_test_packages $tenv {
+ foo {
+ email { "foo@example.org" }
+ keys { { id 1000 name "foo <foo@example.gnu.org>" } }
+ maintainers { "foo <foo@example.net>" }
+ }
+ }
+
+ make_test_case $tenv $test_case
+
+ start_test_services $tenv
+ run_upload_batch_test
+ stop_test_services
+
+ analyze_log $tenv "am_cve: $desc" $log_items
+ analyze_mail $tenv "am_cve: $desc" to {
+ ftp-upload-script@gnu.org foo@example.gnu.org
+ ftp-upload-report@gnu.org foo@example.org foo@example.net
+ }
+ analyze_file_tree $tenv "am_cve: $desc" \
+ { incoming stage pub archive } empty {}
+ analyze_file_tree $tenv "am_cve: $desc" \
+ { in-stage } files {
+ foo.tar.gz.directive.asc foo.tar.gz.sig foo.tar.gz
+ }
+
+ close_test_environment $tenv
+}
+
+# ----------------------------------------
+
+check_am_cve_upload "CVE-2009-4029 \"A\"" {
+ perm -777 -exec chmod a+rwx
+} { exploit-check-fail,CVE-2009-4029 "CVE-2009-4029 (\"A\") detected" }
+
+check_am_cve_upload "CVE-2009-4029 \"B\"" {
+ chmod 777 $(distdir)
+} { exploit-check-fail,CVE-2009-4029 "CVE-2009-4029 (\"B\") detected" }
+
+check_am_cve_upload "CVE-2012-3386" {
+ chmod a+w $(distdir)
+} { exploit-check-fail,CVE-2012-3386 "CVE-2012-3386 detected" }
+
+
+# ----------------------------------------
+
+#EOF
projects / gatekeeper.git / commitdiff