Add test

1 files changed, 26 insertions, 0 deletions

diff --git a/test/test_repo.py b/test/test_repo.py
index 703dbb43..6382db7e 100644
--- a/test/test_repo.py
+++ b/test/test_repo.py
@@ -1180,3 +1180,29 @@ class TestRepo(TestBase):
         r.git.add(Git.polish_url(fp))
         r.git.commit(message="init")
         self.assertEqual(r.git.show("HEAD:hello.txt", strip_newline_in_stdout=False), "hello\n")
+
+    @with_rw_repo("HEAD")
+    def test_clone_command_injection(self, rw_repo):
+        tmp_dir = pathlib.Path(tempfile.mkdtemp())
+        unexpected_file = tmp_dir / "pwn"
+        assert not unexpected_file.exists()
+
+        payload = f"--upload-pack=touch {unexpected_file}"
+        rw_repo.clone(payload)
+
+        assert not unexpected_file.exists()
+        # A repo was cloned with the payload as name
+        assert pathlib.Path(payload).exists()
+
+    @with_rw_repo("HEAD")
+    def test_clone_from_command_injection(self, rw_repo):
+        tmp_dir = pathlib.Path(tempfile.mkdtemp())
+        temp_repo = Repo.init(tmp_dir / "repo")
+        unexpected_file = tmp_dir / "pwn"
+
+        assert not unexpected_file.exists()
+        payload = f"--upload-pack=touch {unexpected_file}"
+        with self.assertRaises(GitCommandError):
+            rw_repo.clone_from(payload, temp_repo.common_dir)
+
+        assert not unexpected_file.exists()