From d9b8dce97504282ff313f0caa926bf63e978b09a Mon Sep 17 00:00:00 2001 From: "Michael Hirsch, Ph.D" Date: Wed, 27 Nov 2019 00:18:29 -0500 Subject: wrap: check whitelist subdomain wrap: add imposter URL test this test shows that meson wrap subsystem historically allows imposter URLs like https://wrapdb.mesonwrap.com.evil/v1/foo.zip while the new code does no. --- manual tests/11 wrap imposter/meson.build | 8 ++++++++ manual tests/11 wrap imposter/subprojects/zlib.wrap | 10 ++++++++++ manual tests/12 wrap mirror/meson.build | 4 ++++ manual tests/12 wrap mirror/subprojects/zlib.wrap | 10 ++++++++++ 4 files changed, 32 insertions(+) create mode 100644 manual tests/11 wrap imposter/meson.build create mode 100644 manual tests/11 wrap imposter/subprojects/zlib.wrap create mode 100644 manual tests/12 wrap mirror/meson.build create mode 100644 manual tests/12 wrap mirror/subprojects/zlib.wrap (limited to 'manual tests') diff --git a/manual tests/11 wrap imposter/meson.build b/manual tests/11 wrap imposter/meson.build new file mode 100644 index 000000000..d0575acf7 --- /dev/null +++ b/manual tests/11 wrap imposter/meson.build @@ -0,0 +1,8 @@ +project('evil URL') +# showing that new Meson wrap.py code tries to stop imposter WrapDB URLs +# a WrapException is raised. +# +# ERROR: https://wrapdb.mesonbuild.com.invalid/v1/projects/zlib/1.2.11/4/get_zip may be a WrapDB-impersonating URL +# + +subproject('zlib') \ No newline at end of file diff --git a/manual tests/11 wrap imposter/subprojects/zlib.wrap b/manual tests/11 wrap imposter/subprojects/zlib.wrap new file mode 100644 index 000000000..b88f8f2ab --- /dev/null +++ b/manual tests/11 wrap imposter/subprojects/zlib.wrap @@ -0,0 +1,10 @@ +[wrap-file] +directory = zlib-1.2.8 + +source_url = https://zlib.net/zlib-1.2.11.tar.gz +source_filename = zlib-1.2.11.tar.gz +source_hash = c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1 + +patch_url = https://wrapdb.mesonbuild.com.invalid/v1/projects/zlib/1.2.11/4/get_zip +patch_filename = zlib-1.2.11-4-wrap.zip +patch_hash = 886b67480dbe73b406ad83a1dd6d9596f93089d90c220ccfc91944c95f1c68c4 \ No newline at end of file diff --git a/manual tests/12 wrap mirror/meson.build b/manual tests/12 wrap mirror/meson.build new file mode 100644 index 000000000..6645bdf26 --- /dev/null +++ b/manual tests/12 wrap mirror/meson.build @@ -0,0 +1,4 @@ +project('downloader') +# this test will timeout, showing that a subdomain isn't caught as masquarading url + +subproject('zlib') diff --git a/manual tests/12 wrap mirror/subprojects/zlib.wrap b/manual tests/12 wrap mirror/subprojects/zlib.wrap new file mode 100644 index 000000000..de0b9ad07 --- /dev/null +++ b/manual tests/12 wrap mirror/subprojects/zlib.wrap @@ -0,0 +1,10 @@ +[wrap-file] +directory = zlib-1.2.8 + +source_url = https://zlib.net/zlib-1.2.11.tar.gz +source_filename = zlib-1.2.11.tar.gz +source_hash = c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1 + +patch_url = https://mirror1.wrapdb.mesonbuild.com/v1/projects/zlib/1.2.11/4/get_zip +patch_filename = zlib-1.2.11-4-wrap.zip +patch_hash = 886b67480dbe73b406ad83a1dd6d9596f93089d90c220ccfc91944c95f1c68c4 \ No newline at end of file -- cgit v1.2.1