diff options
| author | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:45:28 -0300 |
|---|---|---|
| committer | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:45:28 -0300 |
| commit | eab4174b87c7ba0b7dab2c8d7e0b13253833abe8 (patch) | |
| tree | 26cc596af11c4b471a1f021a5e1819f1368a10f7 /test | |
| parent | d027891cec67e190403fc4fa73f17d7a74f02720 (diff) | |
| download | mitmproxy-eab4174b87c7ba0b7dab2c8d7e0b13253833abe8.tar.gz mitmproxy-eab4174b87c7ba0b7dab2c8d7e0b13253833abe8.tar.bz2 mitmproxy-eab4174b87c7ba0b7dab2c8d7e0b13253833abe8.zip | |
Fix command injection when exporting to httpie
The command generated by `export.clip httpie @focus` or `export.file
httpie @focus /path/to/file` wasn't being properly escaped so it could
contain a malicious command instead of just a simple httpie call.
Diffstat (limited to 'test')
| -rw-r--r-- | test/mitmproxy/addons/test_export.py | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/test/mitmproxy/addons/test_export.py b/test/mitmproxy/addons/test_export.py index 5c365135..67d0fc99 100644 --- a/test/mitmproxy/addons/test_export.py +++ b/test/mitmproxy/addons/test_export.py @@ -85,23 +85,40 @@ class TestExportCurlCommand: class TestExportHttpieCommand: def test_get(self, get_request): - result = """http GET http://address:22/path?a=foo&a=bar&b=baz 'header:qvalue' 'content-length:0'""" + result = """http GET 'http://address:22/path?a=foo&a=bar&b=baz' header:qvalue content-length:0""" assert export.httpie_command(get_request) == result def test_post(self, post_request): - result = "http POST http://address:22/path 'content-length:256' <<< '{}'".format( - str(bytes(range(256)))[2:-1] - ) + post_request.request.content = b'nobinarysupport' + result = "http POST http://address:22/path content-length:15 <<< nobinarysupport" assert export.httpie_command(post_request) == result + def test_fails_with_binary_data(self, post_request): + # shlex.quote doesn't support a bytes object + # see https://github.com/python/cpython/pull/10871 + with pytest.raises(exceptions.CommandError): + export.httpie_command(post_request) + def test_patch(self, patch_request): - result = """http PATCH http://address:22/path?query=param 'header:qvalue' 'content-length:7' <<< 'content'""" + result = """http PATCH 'http://address:22/path?query=param' header:qvalue content-length:7 <<< content""" assert export.httpie_command(patch_request) == result def test_tcp(self, tcp_flow): with pytest.raises(exceptions.CommandError): export.httpie_command(tcp_flow) + def test_escape_single_quotes_in_body(self): + request = tflow.tflow( + req=tutils.treq( + method=b'POST', + headers=(), + content=b"'&#" + ) + ) + command = export.httpie_command(request) + assert shlex.split(command)[-2] == '<<<' + assert shlex.split(command)[-1] == "'&#" + class TestRaw: def test_get(self, get_request): |