t0411: add tests for cloning from partial repo

Cloning from a partial repository must not fetch missing objects into
the partial repository, because that can lead to arbitrary code
execution.

Add a couple of test cases, pretending to the `upload-pack` command (and
to that command only) that it is working on a repository owned by
someone else.

Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Filip Hejsek <filip.hejsek@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

diff --git a/t/t0411-clone-from-partial.sh b/t/t0411-clone-from-partial.sh
new file mode 100755 (executable)
index 0000000..fb72a0a
--- /dev/null
+++ b/t/t0411-clone-from-partial.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+test_description='check that local clone does not fetch from promisor remotes'
+
+. ./test-lib.sh
+
+test_expect_success 'create evil repo' '
+       git init tmp &&
+       test_commit -C tmp a &&
+       git -C tmp config uploadpack.allowfilter 1 &&
+       git clone --filter=blob:none --no-local --no-checkout tmp evil &&
+       rm -rf tmp &&
+
+       git -C evil config remote.origin.uploadpack \"\$TRASH_DIRECTORY/fake-upload-pack\" &&
+       write_script fake-upload-pack <<-\EOF &&
+               echo >&2 "fake-upload-pack running"
+               >"$TRASH_DIRECTORY/script-executed"
+               exit 1
+       EOF
+       export TRASH_DIRECTORY &&
+
+       # empty shallow file disables local clone optimization
+       >evil/.git/shallow
+'
+
+test_expect_failure 'local clone must not fetch from promisor remote and execute script' '
+       rm -f script-executed &&
+       test_must_fail git clone \
+               --upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
+               evil clone1 2>err &&
+       ! grep "fake-upload-pack running" err &&
+       test_path_is_missing script-executed
+'
+
+test_expect_failure 'clone from file://... must not fetch from promisor remote and execute script' '
+       rm -f script-executed &&
+       test_must_fail git clone \
+               --upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
+               "file://$(pwd)/evil" clone2 2>err &&
+       ! grep "fake-upload-pack running" err &&
+       test_path_is_missing script-executed
+'
+
+test_expect_failure 'fetch from file://... must not fetch from promisor remote and execute script' '
+       rm -f script-executed &&
+       test_must_fail git fetch \
+               --upload-pack="GIT_TEST_ASSUME_DIFFERENT_OWNER=true git-upload-pack" \
+               "file://$(pwd)/evil" 2>err &&
+       ! grep "fake-upload-pack running" err &&
+       test_path_is_missing script-executed
+'
+
+test_expect_success 'pack-objects should fetch from promisor remote and execute script' '
+       rm -f script-executed &&
+       echo "HEAD" | test_must_fail git -C evil pack-objects --revs --stdout >/dev/null 2>err &&
+       grep "fake-upload-pack running" err &&
+       test_path_is_file script-executed
+'
+
+test_done