mkit-cli 0.3.0

The mkit command-line tool: a content-addressed VCS with native attestation support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

//! `remote add` / `clone` URL + name control-char validation (#217).
//!
//! A URL (or remote name) containing a newline would inject extra
//! `key = value` lines into `.mkit/config` via `config::write`, which
//! emits values raw. Both commands must reject control characters before
//! persisting. Driven end-to-end through the real binary.

use std::fs;
use std::path::Path;
use std::process::{Command, Output};

fn mkit_bin() -> &'static str {
    env!("CARGO_BIN_EXE_mkit")
}

fn run_in(cwd: &Path, args: &[&str]) -> Output {
    let xdg = tempfile::tempdir().expect("xdg tempdir");
    let out = Command::new(mkit_bin())
        .args(args)
        .current_dir(cwd)
        .env("XDG_CONFIG_HOME", xdg.path())
        .output()
        .expect("spawn mkit");
    drop(xdg);
    out
}

fn init_repo() -> tempfile::TempDir {
    let td = tempfile::tempdir().unwrap();
    assert!(run_in(td.path(), &["init"]).status.success());
    td
}

#[test]
fn remote_add_rejects_newline_in_url() {
    let td = init_repo();
    // A URL with an embedded newline + a forbidden key would, before the
    // fix, be written verbatim into `.mkit/config`.
    let evil = "mkit+https://example.com/p\nuser.identity = ed25519:deadbeef";
    let out = run_in(td.path(), &["remote", "add", evil]);
    assert!(
        !out.status.success(),
        "remote add must reject a URL with control characters"
    );
    // The config must not have been written with the injected line.
    let cfg = fs::read_to_string(td.path().join(".mkit/config")).unwrap_or_default();
    assert!(
        !cfg.contains("user.identity"),
        "injected key leaked into config: {cfg}"
    );
}

#[test]
fn remote_add_rejects_newline_in_name() {
    let td = init_repo();
    let out = run_in(
        td.path(),
        &["remote", "add", "bad\nname", "mkit+https://example.com/p"],
    );
    assert!(
        !out.status.success(),
        "remote add must reject a remote name with control characters"
    );
}

#[test]
fn clone_rejects_newline_in_url() {
    let parent = tempfile::tempdir().unwrap();
    let evil = "mkit+https://example.com/p\nuser.identity = ed25519:deadbeef";
    let out = run_in(parent.path(), &["clone", evil, "dest"]);
    assert!(
        !out.status.success(),
        "clone must reject a URL with control characters"
    );
    // If a destination was created, its config must not carry the
    // injected line.
    let cfg = fs::read_to_string(parent.path().join("dest/.mkit/config")).unwrap_or_default();
    assert!(
        !cfg.contains("user.identity"),
        "injected key leaked into clone config: {cfg}"
    );
}

#[test]
fn remote_add_accepts_clean_url() {
    let td = init_repo();
    let out = run_in(
        td.path(),
        &["remote", "add", "mkit+https://example.com/project"],
    );
    assert!(
        out.status.success(),
        "a clean URL must still be accepted: {}",
        String::from_utf8_lossy(&out.stderr)
    );
}