Make more test repos with traversal-attempting blob names

EliahKagan · EliahKagan · commit f3edaa352ab2 · 2024-05-21T02:10:29.000-04:00
The approach in make_traverse_literal_slases.sh works about equally
well for any top level file with strange characters. Before, it was
only generating such repositores where the filename has slashes,
causing traversal on all platforms. This has is generate two more
repositories, with backslashes instead of slashes. That script's
name is accordingly updated to make_traverse_literal_separators.sh.

Note that while such names with backslashes may be blocked on
multiple systems under various circumstances, they will only
perform traversal on Windows.
diff --git a/gix-worktree/tests/fixtures/make_traverse_literal_separators.sh b/gix-worktree/tests/fixtures/make_traverse_literal_separators.sh
@@ -27,9 +27,17 @@ function make_repo() (
 make_repo traverse_dotdot_slashes ../outside 100644 \
   <<<'A file outside the working tree, somehow.'
 
-# TODO: Should the payload be simplified to a single side effect for tests to check?
 make_repo traverse_dotgit_slashes .git/hooks/pre-commit 100755 <<'EOF'
 #!/bin/sh
 printf 'Vulnerable!\n'
 date >vulnerable
 EOF
+
+make_repo traverse_dotdot_backslashes '..\outside' 100644 \
+  <<<'A file outside the working tree, somehow.'
+
+make_repo traverse_dotgit_backslashes '.git\hooks\pre-commit' 100755 <<'EOF'
+#!/bin/sh
+printf 'Vulnerable!\n'
+date >vulnerable
+EOF
