Add test for BatBadBut vulnerability

madebr · Sep 16, 2024 · b1684ed · b1684ed
1 parent ca3cb90
commit b1684ed
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/test/testprocess.c b/test/testprocess.c
@@ -736,6 +736,47 @@ static int process_testNonExistingExecutable(void *arg)
  return TEST_COMPLETED;
 }
 
+static int process_testBatBadButVulnerability(void *arg)
+{
+ TestProcessData *data = (TestProcessData *)arg;
+ char *inject_arg = NULL;
+ char **process_args = NULL;
+ char *text_out = NULL;
+ size_t len_text_out;
+ int exitcode;
+ SDL_Process *process = NULL;
+ SDL_IOStream *child_bat;
+
+#ifndef SDL_PLATFORM_WINDOWS
+ SDLTest_AssertPass("The BatBadBut vulnerability only applied to Windows");
+ return TEST_SKIPPED;
+#endif
+ /* FIXME: remove child.bat at end of loop and/or create in temporary directory */
+ child_bat = SDL_IOFromFile("child.bat", "w");
+ SDL_IOprintf(child_bat, "@echo off\necho \"Hello from child.bat\"\n");
+ SDL_CloseIO(child_bat);
+
+ inject_arg = SDL_malloc(SDL_strlen(data->childprocess_path) + 100);
+ SDL_snprintf(inject_arg, SDL_strlen(data->childprocess_path) + 100, "\"&%s --version --stdout OWNEDSTDOUT\"", data->childprocess_path);
+ process_args = CreateArguments(0, "child.bat", inject_arg, NULL);
+
+ SDLTest_AssertPass("About to call SDL_CreateProcess");
+ process = SDL_CreateProcess((const char * const*)process_args, SDL_TRUE);
+ SDLTest_AssertCheck(process != NULL, "SDL_CreateProcess");
+ text_out = SDL_ReadProcess(process, &len_text_out, &exitcode);
+ SDLTest_AssertCheck(exitcode == 0, "process exited with exitcode 0, was %d", exitcode);
+ SDLTest_LogEscapedString("Output: ", text_out, len_text_out);
+
+ SDLTest_AssertCheck(SDL_strstr(text_out, "Hello from child") != NULL, "stdout contains 'Hello from child'");
+ SDLTest_AssertCheck(SDL_strstr(text_out, "SDL version") == NULL, "stdout should not contain SDL version");
+
+ SDL_free(text_out);
+ SDL_DestroyProcess(process);
+ SDL_free(inject_arg);
+ DestroyStringArray(process_args);
+ return TEST_COMPLETED;
+}
+
 static const SDLTest_TestCaseReference processTestArguments = {
  process_testArguments, "process_testArguments", "Test passing arguments to child process", TEST_ENABLED
 };
@@ -776,6 +817,10 @@ static const SDLTest_TestCaseReference processTestNonExistingExecutable = {
  process_testNonExistingExecutable, "process_testNonExistingExecutable", "Test running a non-existing executable", TEST_ENABLED
 };
 
+static const SDLTest_TestCaseReference processTestBatBadButVulnerability = {
+ process_testBatBadButVulnerability, "process_testBatBadButVulnerability", "Test BatBadBut vulnerability: command injection through cmd.exe", TEST_ENABLED
+};
+
 static const SDLTest_TestCaseReference *processTests[] = {
  &processTestArguments,
  &processTestExitCode,
@@ -787,6 +832,7 @@ static const SDLTest_TestCaseReference *processTests[] = {
  &processTestMultiprocessStdinToStdout,
  &processTestWriteToFinishedProcess,
  &processTestNonExistingExecutable,
+ &processTestBatBadButVulnerability,
  NULL
 };