From 65e38c8d5e27a6cbf4bf20c4c12fc3894ed9c813 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Sun, 14 Jun 2026 13:53:49 +0000 Subject: [PATCH 1/2] test(gitea-curl): harden equals-form rejections + prove create-before-write ordering Adds explicit -H=Authorization:... regression cases and a test that runs main() while intercepting _write_netrc to assert the tempfile is mode 0600 and empty at the moment credentials are written. This fails if create/write order is ever swapped. --- scripts/test_gitea_curl.py | 61 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/scripts/test_gitea_curl.py b/scripts/test_gitea_curl.py index d42ed83..dbd1e89 100644 --- a/scripts/test_gitea_curl.py +++ b/scripts/test_gitea_curl.py @@ -86,6 +86,8 @@ REJECT_CASES = [ ("--header=Proxy-Authorization: Basic b64", ["--header=Proxy-Authorization: Basic b64"]), # equals-attached value bypass (RC #11714) ('--header=Authorization=Bearer tok', ["--header=Authorization=Bearer tok"]), + ('-H=Authorization: Bearer tok', ["-H=Authorization: Bearer tok"]), + ('-H=Authorization=Bearer tok', ["-H=Authorization=Bearer tok"]), ('-H "Authorization=token tok"', ["-H", "Authorization=token tok"]), ('--header=Proxy-Authorization=Basic b64', ["--header=Proxy-Authorization=Basic b64"]), # structural-scan catch-all: unusual spacing/separators that prior form-by-form @@ -258,6 +260,65 @@ def test_setup_netrc_tempfile_is_private_before_token_write( assert mode_after == 0o600, f"tempfile widened during write: {oct(mode_after)}" +def test_setup_netrc_main_orders_create_before_write( + setup_script: pathlib.Path, + tmp_home: pathlib.Path, +) -> None: + """Regression: main() must call _create_private_tempfile (mode 0600, empty) + BEFORE _write_netrc puts token bytes into the file. + + We source the script, override _write_netrc to assert the incoming path is + already mode 0600 and empty, then run main(). A create-then-write swap + (e.g., write-then-chmod, or reusing a pre-existing file with content) + will fail this assertion because the file would not be empty at write time. + """ + env = { + **os.environ, + "HOME": str(tmp_home), + "GIT_HTTP_USERNAME": "agent-dev-a", + "GIT_HTTP_PASSWORD": "s3cr3t-t0k3n", + "GITEA_HOST": "git.moleculesai.app", + } + override = f''' +source "{setup_script}" +_write_netrc() {{ + local path="$1" host="$2" user="$3" pass="$4" + local mode + mode=$(stat -c '%a' "$path" 2>/dev/null || stat -f '%Lp' "$path") + if [ "$mode" != "600" ]; then + echo "FAIL: tempfile mode is $mode, expected 600" >&2 + exit 1 + fi + if [ -s "$path" ]; then + echo "FAIL: tempfile is not empty at write time" >&2 + exit 1 + fi + # Write so main() can complete the atomic move. + cat > "$path" < Date: Sun, 14 Jun 2026 13:59:24 +0000 Subject: [PATCH 2/2] test(gitea-curl): add exact RC #11721 -H=Authorization: token SECRET regression case The structural argv scan on b65272e already closes this bypass; this commit pins the exact form Researcher verified so it cannot silently regress. --- scripts/test_gitea_curl.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/test_gitea_curl.py b/scripts/test_gitea_curl.py index dbd1e89..04eeb08 100644 --- a/scripts/test_gitea_curl.py +++ b/scripts/test_gitea_curl.py @@ -95,6 +95,8 @@ REJECT_CASES = [ ('-H "Authorization : Bearer tok"', ["-H", "Authorization : Bearer tok"]), ('--header=Authorization : Bearer tok', ["--header=Authorization : Bearer tok"]), ('-H "Authorization:token"', ["-H", "Authorization:token"]), + # exact #11721 form verified by Researcher on b65272e + ('-H=Authorization: token SECRET', ["-H=Authorization: token SECRET"]), ] -- 2.52.0