From 9c8e0f5c560256244b4b41bc447ae1ef18c74301 Mon Sep 17 00:00:00 2001 From: Jacob Bachmeyer Date: Tue, 25 Jan 2022 21:20:00 -0600 Subject: [PATCH] Add tests for Automake vulnerability filter logic --- testsuite/lib/upload.exp | 20 ++++++ testsuite/upload.all/11_am_cve.exp | 97 ++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 testsuite/upload.all/11_am_cve.exp diff --git a/testsuite/lib/upload.exp b/testsuite/lib/upload.exp index 4e771fb..0b022f3 100644 --- a/testsuite/lib/upload.exp +++ b/testsuite/lib/upload.exp @@ -724,6 +724,26 @@ proc analyze_log { base_dir name assess } { # is likely to be revised as part of other refactoring } + -re {^ftp-upload\[[0-9]+\]: \(Test\)\ + DEBUG: testing .+ for presence of Makefile.in} { + # from check_vulnerabilities via check_files + set A(exploit-check,check-Makefile.in) 1 + exp_continue + } + -re {^ftp-upload\[[0-9]+\]: \(Test\)\ + DEBUG: found Makefile.in, testing for [^\r\n]+} { + # from check_vulnerabilities via check_files + set A(exploit-check,found-Makefile.in) 1 + exp_continue + } + -re {^ftp-upload\[[0-9]+\]: \(Test\)\ + file rejected: [^()]+\((CVE-[0-9-]+)\)[^\r\n]+} { + # from check_vulnerabilities via check_files + set A(exploit-check-fail,$expect_out(1,string)) 1 + exp_continue + } + + -re {^ftp-upload\[[0-9]+\]: \(Test\)\ This signature file exists: [^\r\n]+} { # from install_files, if target exists and replace not set diff --git a/testsuite/upload.all/11_am_cve.exp b/testsuite/upload.all/11_am_cve.exp new file mode 100644 index 0000000..9f1548a --- /dev/null +++ b/testsuite/upload.all/11_am_cve.exp @@ -0,0 +1,97 @@ +# Tests for detecting known Automake vulnerabilities + +# Copyright (C) 2022 Jacob Bachmeyer +# +# This file is part of a testsuite for the GNU FTP upload system. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +proc check_am_cve_upload {desc fragment {log {}}} { + set test_case { + foo.tar.gz { + directive { + version 1.2 + directory foo + filename foo.tar.gz + } dsig { good 01 1000 } + tar-file { + README README + Makefile.in FRAGMENT_HERE + } fsig { good 02 1000 } + } + } + lset test_case { 1 5 3 } $fragment + + set log_items { + start "ftp-upload start message" + mail,addresses "outgoing mail sent" + + found,foo.tar.gz.directive.asc "found directive in triplet" + found-triplet,foo.tar.gz.directive.asc:foo.tar.gz.sig:foo.tar.gz \ + "found triplet" + + exploit-check,check-Makefile.in "checked for Makefile.in in tarball" + exploit-check,found-Makefile.in "found Makefile.in in tarball" + } + if { [llength $log] > 0 } { append log_items $log } + + set tenv [new_test_environment [file join test.tmp tenv]] + + register_test_packages $tenv { + foo { + email { "foo@example.org" } + keys { { id 1000 name "foo " } } + maintainers { "foo " } + } + } + + make_test_case $tenv $test_case + + start_test_services $tenv + run_upload_batch_test + stop_test_services + + analyze_log $tenv "am_cve: $desc" $log_items + analyze_mail $tenv "am_cve: $desc" to { + ftp-upload-script@gnu.org foo@example.gnu.org + ftp-upload-report@gnu.org foo@example.org foo@example.net + } + analyze_file_tree $tenv "am_cve: $desc" \ + { incoming stage pub archive } empty {} + analyze_file_tree $tenv "am_cve: $desc" \ + { in-stage } files { + foo.tar.gz.directive.asc foo.tar.gz.sig foo.tar.gz + } + + close_test_environment $tenv +} + +# ---------------------------------------- + +check_am_cve_upload "CVE-2009-4029 \"A\"" { + perm -777 -exec chmod a+rwx +} { exploit-check-fail,CVE-2009-4029 "CVE-2009-4029 (\"A\") detected" } + +check_am_cve_upload "CVE-2009-4029 \"B\"" { + chmod 777 $(distdir) +} { exploit-check-fail,CVE-2009-4029 "CVE-2009-4029 (\"B\") detected" } + +check_am_cve_upload "CVE-2012-3386" { + chmod a+w $(distdir) +} { exploit-check-fail,CVE-2012-3386 "CVE-2012-3386 detected" } + + +# ---------------------------------------- + +#EOF -- 2.25.1