d71c808ec3
In a subsequent commit to remediate CVE-2022-24826 we will revise how Git LFS handles process execution on Windows when no executable is found in PATH, specifically so as to avoid triggering a bug in the Go os/exec package which may result in a binary named "..exe", "..com", etc. running instead of the intended program. This bug does not manifest in the same way with "..bat" or "..cmd" files, due to some undocumented features of the Win32 API called by Go. Therefore, in order to write a test which demonstrates the bug and can be used to confirm that our changes are effective, we will need to generate a binary with a .exe extension, whose execution we can reliably detect. For that purpose we add a small Go program which we compile along with our other test helpers, and which emulates the behaviour of the "git.bat" script file created by the existing tests in t/t-path.sh. In particular, this new helper outputs the text "exploit" to both stdout and stderr, and tries to create a file named "exploit" in the current working directory. In subsequent commits we will first refactor our existing tests in t/t-path.sh to make use of this new helper, and then add a test to demonstrate the problem from CVE-2022-24826 and its resolution by the accompanying changes to Git LFS.
20 lines
222 B
Go
20 lines
222 B
Go
//go:build testtools
|
|
// +build testtools
|
|
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
)
|
|
|
|
func main() {
|
|
fmt.Println("exploit")
|
|
fmt.Fprintln(os.Stderr, "exploit")
|
|
|
|
f, err := os.Create("exploit")
|
|
if err != nil {
|
|
f.Close()
|
|
}
|
|
}
|