Skip to content

Commit 19c79e6

Browse files
authored
Add coverage detection on WindowsLocalCommandExecutor (#3979)
Signed-off-by: Olivier Perrin <olivier.perrin@rte-france.com>
1 parent 7aa28d8 commit 19c79e6

2 files changed

Lines changed: 15 additions & 3 deletions

File tree

computation-local/src/main/java/com/powsybl/computation/local/WindowsLocalCommandExecutor.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ private static String escapeCmdEnvValue(String value) {
101101
.replace("\r", "");
102102
}
103103

104-
private static String escapeCmdArg(String arg) {
104+
protected static String escapeCmdArg(String arg) {
105105
// Double any trailing backslashes before the closing quote
106106
int trailingBackslashes = 0;
107107
for (int i = arg.length() - 1; i >= 0 && arg.charAt(i) == '\\'; i--) {

computation-local/src/test/java/com/powsybl/computation/local/LocalCommandExecutorSecurityTest.java

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -144,8 +144,9 @@ void testCommandInjectionInParametersOnWindows() {
144144
assertFalse(Files.exists(pwndFileEnvVariable), String.format("[!] Command injection confirmed: %s created", pwndFileEnvVariable));
145145
}
146146

147+
// The following test can be executed on every OS.
148+
// It asserts that no system command is run when invalid environment variable names are detected.
147149
@Test
148-
@EnabledOnOs(OS.WINDOWS)
149150
void testCommandInjectionViaEnvVarNameOnWindows() {
150151
// 7. Injection via environment variable name: names cannot be safely escaped,
151152
// so the executor must reject invalid names outright.
@@ -165,8 +166,9 @@ void testCommandInjectionViaEnvVarNameOnWindows() {
165166
assertFalse(Files.exists(pwndFileEnvVarName), String.format("[!] Command injection confirmed: %s created", pwndFileEnvVarName));
166167
}
167168

169+
// The following test can be executed on every OS.
170+
// It asserts that no system command is run when an invalid program name is detected.
168171
@Test
169-
@EnabledOnOs(OS.WINDOWS)
170172
void testCommandInjectionViaProgramNameOnWindows() {
171173
// 8. Injection via program name containing a double quote.
172174
// The executor must reject program names with quotes rather than pass them raw.
@@ -192,4 +194,14 @@ void testCommandInjectionViaProgramNameOnWindows() {
192194
assertEquals("Program name must not contain spaces", exception2.getMessage());
193195
assertFalse(Files.exists(pwndFileEnvVarName), String.format("[!] Command injection confirmed: %s created", pwndFileEnvVarName));
194196
}
197+
198+
@Test
199+
void testEscapeCmdArgOnWindows() {
200+
assertEquals("abc\\\\\\\\", WindowsLocalCommandExecutor.escapeCmdArg("abc\\\\"));
201+
assertEquals("a^^b", WindowsLocalCommandExecutor.escapeCmdArg("a^b"));
202+
assertEquals("a^%", WindowsLocalCommandExecutor.escapeCmdArg("a%"));
203+
assertEquals("^!ab", WindowsLocalCommandExecutor.escapeCmdArg("!ab"));
204+
assertEquals("a\"\"b", WindowsLocalCommandExecutor.escapeCmdArg("a\"b"));
205+
assertEquals("ab", WindowsLocalCommandExecutor.escapeCmdArg("a\n\rb"));
206+
}
195207
}

0 commit comments

Comments
 (0)