mig5/enroll
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

Ensure paths are not followed through parent links

Browse source
This commit is contained in:
Miguel Jacq 2026-06-22 15:32:40 +10:00
parent e10a3f62b0
commit 07b07e60c5
Signed by: mig5
GPG key ID: 03906B4110AAD3B8
9 changed files with 323 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tests/test_accounts.py
View file

@ -221,6 +221,25 @@ def test_find_user_ssh_files_ignores_symlink(tmp_path: Path):
assert result == []
def test_find_user_ssh_files_ignores_symlinked_ssh_dir(tmp_path: Path):
"""A user who replaces ~/.ssh with a symlink to a sensitive directory must
not have files inside it harvested through the symlinked parent. os.path.isdir
follows symlinks, so the directory itself must be checked with islink().
"""
from enroll.accounts import find_user_ssh_files
sensitive = tmp_path / "sensitive"
sensitive.mkdir()
(sensitive / "authorized_keys").write_text("ssh-rsa AAAA...\n", encoding="utf-8")
home = tmp_path / "home" / "mallory"
home.mkdir(parents=True)
os.symlink(str(sensitive), str(home / ".ssh"))
assert find_user_ssh_files(str(home)) == []
def test_find_user_ssh_files_handles_home_not_starting_with_slash():
from enroll.accounts import find_user_ssh_files