diff options
Diffstat (limited to 'rt/t/api/execute-code.t')
-rw-r--r-- | rt/t/api/execute-code.t | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/rt/t/api/execute-code.t b/rt/t/api/execute-code.t new file mode 100644 index 000000000..7f72be90a --- /dev/null +++ b/rt/t/api/execute-code.t @@ -0,0 +1,108 @@ +use strict; +use warnings; +use RT::Test tests => 17; + +my $ticket = RT::Ticket->new(RT->SystemUser); +ok( + $ticket->Create( + Subject => 'blue lines', + Queue => 'General', + ) +); + +my $attacker = RT::User->new(RT->SystemUser); +ok( + $attacker->Create( + Name => 'attacker', + Password => 'foobar', + Privileged => 1, + ) +); + +my $template_as_attacker = RT::Template->new($attacker); + +# can't create templates without ModifyTemplate +my ($ok, $msg) = $template_as_attacker->Create( + Name => 'Harmless, honest!', + Content => "\nhello ;)", + Type => 'Perl', +); +ok(!$ok, 'permission to create denied'); + + +# permit modifying templates but they must be simple +$attacker->PrincipalObj->GrantRight(Right => 'ShowTemplate', Object => $RT::System); +$attacker->PrincipalObj->GrantRight(Right => 'ModifyTemplate', Object => $RT::System); + +($ok, $msg) = $template_as_attacker->Create( + Name => 'Harmless, honest!', + Content => "\nhello ;)", + Type => 'Perl', +); +ok(!$ok, 'permission to create denied'); + + +($ok, $msg) = $template_as_attacker->Create( + Name => 'Harmless, honest!', + Content => "\nhello ;)", + Type => 'Simple', +); +ok($ok, 'created template now that we have ModifyTemplate'); + +($ok, $msg) = $template_as_attacker->SetType('Perl'); +ok(!$ok, 'permission to update type to Perl denied'); + +my $template_as_root = RT::Template->new(RT->SystemUser); +$template_as_root->Load('Harmless, honest!'); +is($template_as_root->Content, "\nhello ;)"); +is($template_as_root->Type, 'Simple'); + +$template_as_root->Parse(TicketObj => $ticket); +is($template_as_root->MIMEObj->stringify_body, "hello ;)"); + + +# update the content to include code (even though Simple won't parse it) + +($ok, $msg) = $template_as_attacker->SetContent("\nYou are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!"); +ok($ok, 'updating Content permitted since the template is Simple'); + +$template_as_root = RT::Template->new(RT->SystemUser); +$template_as_root->Load('Harmless, honest!'); + +is($template_as_root->Content, "\nYou are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!"); +is($template_as_root->Type, 'Simple'); + +$template_as_root->Parse(TicketObj => $ticket); +is($template_as_root->MIMEObj->stringify_body, "You are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!"); + + +# try again, why not +($ok, $msg) = $template_as_attacker->SetType('Perl'); +ok(!$ok, 'permission to update type to Perl denied'); + + +# now root will change the template to genuine code +$template_as_root = RT::Template->new(RT->SystemUser); +$template_as_root->Load('Harmless, honest!'); +$template_as_root->SetType('Perl'); +$template_as_root->SetContent("\n{ scalar reverse \$Ticket->Subject }"); + +$template_as_root->Parse(TicketObj => $ticket); +is($template_as_root->MIMEObj->stringify_body, "senil eulb"); + + +# see if we can update anything +$template_as_attacker = RT::Template->new($attacker); +$template_as_attacker->Load('Harmless, honest!'); + +($ok, $msg) = $template_as_attacker->SetContent("\nYou are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!"); +ok(!$ok, 'updating Content forbidden since the template is Perl'); + +# try again just to be absolutely sure it doesn't work +$template_as_root = RT::Template->new(RT->SystemUser); +$template_as_root->Load('Harmless, honest!'); +$template_as_root->SetType('Perl'); +$template_as_root->SetContent("\n{ scalar reverse \$Ticket->Subject }"); + +$template_as_root->Parse(TicketObj => $ticket); +is($template_as_root->MIMEObj->stringify_body, "senil eulb"); |