diff options
author | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:27:43 -0300 |
---|---|---|
committer | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:39:50 -0300 |
commit | d027891cec67e190403fc4fa73f17d7a74f02720 (patch) | |
tree | 1a7f5f420ac1785d407032f0d3dcd51fb4060725 /test | |
parent | 889987aa0a7f4852758ed09f70fe5d30f733a6d3 (diff) | |
download | mitmproxy-d027891cec67e190403fc4fa73f17d7a74f02720.tar.gz mitmproxy-d027891cec67e190403fc4fa73f17d7a74f02720.tar.bz2 mitmproxy-d027891cec67e190403fc4fa73f17d7a74f02720.zip |
Fix command injection when exporting to curl
The command generated by `export.clip curl @focus` or `export.file curl
@focus /path/to/file` wasn't being properly escaped so it could contain
a malicious command instead of just a simple curl.
Diffstat (limited to 'test')
-rw-r--r-- | test/mitmproxy/addons/test_export.py | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/test/mitmproxy/addons/test_export.py b/test/mitmproxy/addons/test_export.py index f4bb0f64..5c365135 100644 --- a/test/mitmproxy/addons/test_export.py +++ b/test/mitmproxy/addons/test_export.py @@ -1,4 +1,5 @@ import os +import shlex import pytest import pyperclip @@ -47,23 +48,40 @@ def tcp_flow(): class TestExportCurlCommand: def test_get(self, get_request): - result = """curl -H 'header:qvalue' -H 'content-length:0' 'http://address:22/path?a=foo&a=bar&b=baz'""" + result = """curl -H header:qvalue -H content-length:0 'http://address:22/path?a=foo&a=bar&b=baz'""" assert export.curl_command(get_request) == result def test_post(self, post_request): - result = "curl -H 'content-length:256' -X POST 'http://address:22/path' --data-binary '{}'".format( - str(bytes(range(256)))[2:-1] - ) + post_request.request.content = b'nobinarysupport' + result = "curl -H content-length:15 -X POST http://address:22/path --data-binary nobinarysupport" assert export.curl_command(post_request) == result + def test_fails_with_binary_data(self, post_request): + # shlex.quote doesn't support a bytes object + # see https://github.com/python/cpython/pull/10871 + with pytest.raises(exceptions.CommandError): + export.curl_command(post_request) + def test_patch(self, patch_request): - result = """curl -H 'header:qvalue' -H 'content-length:7' -X PATCH 'http://address:22/path?query=param' --data-binary 'content'""" + result = """curl -H header:qvalue -H content-length:7 -X PATCH 'http://address:22/path?query=param' --data-binary content""" assert export.curl_command(patch_request) == result def test_tcp(self, tcp_flow): with pytest.raises(exceptions.CommandError): export.curl_command(tcp_flow) + def test_escape_single_quotes_in_body(self): + request = tflow.tflow( + req=tutils.treq( + method=b'POST', + headers=(), + content=b"'&#" + ) + ) + command = export.curl_command(request) + assert shlex.split(command)[-2] == '--data-binary' + assert shlex.split(command)[-1] == "'&#" + class TestExportHttpieCommand: def test_get(self, get_request): |