test(man,info): test unexpected code execution

akinomyoga · akinomyoga · commit f78f49946b2d · 2023-04-17T05:20:05.000+09:00
diff --git a/test/t/test_info.py b/test/t/test_info.py
@@ -10,3 +10,11 @@ def test_1(self, completion):
     @pytest.mark.complete("info -", require_cmd=True)
     def test_2(self, completion):
         assert completion
+
+    @pytest.mark.complete(
+        "info nonexistent-nam",
+        env=dict(INFOPATH="'$(echo malicious code >/dev/tty)'"),
+    )
+    def test_infopath_code_injection(self, completion):
+        # no completion, no space appended
+        assert not completion
diff --git a/test/t/test_man.py b/test/t/test_man.py
@@ -148,3 +148,11 @@ def test_delimited_deduplication(self, completion):
     )
     def test_zstd_arbitrary_sectsuffix(self, completion):
         assert completion == "e"
+
+    @pytest.mark.complete(
+        "man bash-completion-testcas",
+        env=dict(MANPATH="'$(echo malicious code >/dev/tty)'"),
+    )
+    def test_manpath_code_injection(self, completion):
+        # no completion, no space appended
+        assert not completion
