Skip to content

Commit f06a77a

Browse files
EmyrkEmyrk
committed
teat: move malicious tar test
1 parent d91f291 commit f06a77a

File tree

2 files changed

+8
-51
lines changed

2 files changed

+8
-51
lines changed

provisioner/terraform/provision_test.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1060,6 +1060,14 @@ func TestProvision(t *testing.T) {
10601060
},
10611061
SkipCacheProviders: true,
10621062
},
1063+
{
1064+
Name: "malicious-tar",
1065+
Files: map[string]string{
1066+
// Non-local path outside the working directory.
1067+
"../../../etc/passwd": "content",
1068+
},
1069+
InitErrorContains: "refusing to extract to non-local path",
1070+
},
10631071
}
10641072

10651073
// Remove unused cache dirs before running tests.

provisionerd/provisionerd_test.go

Lines changed: 0 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -149,57 +149,6 @@ func TestProvisionerd(t *testing.T) {
149149
require.NoError(t, closer.Close())
150150
})
151151

152-
t.Run("MaliciousTar", func(t *testing.T) {
153-
// Ensures tars with "../../../etc/passwd" as the path
154-
// are not allowed to run, and will fail the job.
155-
t.Parallel()
156-
done := make(chan struct{})
157-
t.Cleanup(func() {
158-
close(done)
159-
})
160-
var (
161-
completeChan = make(chan struct{})
162-
completeOnce sync.Once
163-
acq = newAcquireOne(t, &proto.AcquiredJob{
164-
JobId: "test",
165-
Provisioner: "someprovisioner",
166-
TemplateSourceArchive: testutil.CreateTar(t, map[string]string{
167-
"../../../etc/passwd": "content",
168-
}),
169-
Type: &proto.AcquiredJob_TemplateImport_{
170-
TemplateImport: &proto.AcquiredJob_TemplateImport{
171-
Metadata: &sdkproto.Metadata{},
172-
},
173-
},
174-
})
175-
)
176-
177-
closer := createProvisionerd(t, func(ctx context.Context) (proto.DRPCProvisionerDaemonClient, error) {
178-
return createProvisionerDaemonClient(t, done, provisionerDaemonTestServer{
179-
acquireJobWithCancel: acq.acquireWithCancel,
180-
updateJob: noopUpdateJob,
181-
failJob: func(ctx context.Context, job *proto.FailedJob) (*proto.Empty, error) {
182-
completeOnce.Do(func() { close(completeChan) })
183-
return &proto.Empty{}, nil
184-
},
185-
}), nil
186-
}, provisionerd.LocalProvisioners{
187-
"someprovisioner": createProvisionerClient(t, done, provisionerTestServer{
188-
init: func(s *provisionersdk.Session, r *sdkproto.InitRequest, canceledOrComplete <-chan struct{}) *sdkproto.InitComplete {
189-
// TODO: This comes from ExtractArchive which is moved to the `init` step.
190-
if !filepath.IsLocal("../../../etc/passwd") {
191-
return &sdkproto.InitComplete{
192-
Error: "refusing to extract to non-local path",
193-
}
194-
}
195-
return &sdkproto.InitComplete{}
196-
},
197-
}),
198-
})
199-
require.Condition(t, closedWithin(completeChan, testutil.WaitMedium))
200-
require.NoError(t, closer.Close())
201-
})
202-
203152
// LargePayloads sends a 3mb tar file to the provisioner. The provisioner also
204153
// returns large payload messages back. The limit should be 4mb, so all
205154
// these messages should work.

0 commit comments

Comments
 (0)