TestRunCommandNoCredentialInjection ensures that attacker-controlled credentials submitted at the unauthenticated login endpoint cannot be injected into the hook command string. Credentials must only ever reach the hook through the USERNAME/PASSWORD environment variables, never via string substituti
(t *testing.T)
| 24 | // hook through the USERNAME/PASSWORD environment variables, never via string |
| 25 | // substitution into the command itself (CWE-78/CWE-88). |
| 26 | func TestRunCommandNoCredentialInjection(t *testing.T) { |
| 27 | if runtime.GOOS == "windows" { |
| 28 | t.Skip("uses POSIX shell") |
| 29 | } |
| 30 | |
| 31 | marker := filepath.Join(t.TempDir(), "pwned") |
| 32 | |
| 33 | // The hook simply blocks. If the credential were ever interpolated into the |
| 34 | // command string and evaluated by a shell, the embedded `touch` would |
| 35 | // create the marker file. |
| 36 | script := writeHookScript(t, "echo hook.action=block\n") |
| 37 | |
| 38 | a := &HookAuth{ |
| 39 | Command: script, |
| 40 | Cred: hookCred{ |
| 41 | Username: `"; touch ` + marker + `; #`, |
| 42 | Password: `$(touch ` + marker + `)`, |
| 43 | }, |
| 44 | } |
| 45 | |
| 46 | action, err := a.RunCommand() |
| 47 | if err != nil { |
| 48 | t.Fatalf("RunCommand returned error: %v", err) |
| 49 | } |
| 50 | if action != "block" { |
| 51 | t.Fatalf("expected action %q, got %q", "block", action) |
| 52 | } |
| 53 | if _, err := os.Stat(marker); err == nil { |
| 54 | t.Fatalf("credential injection executed: marker file %q was created", marker) |
| 55 | } |
| 56 | } |
| 57 | |
| 58 | // TestRunCommandReceivesCredentialsViaEnv verifies the supported contract: the |
| 59 | // hook receives credentials through the USERNAME and PASSWORD environment |
nothing calls this directly
no test coverage detected