Tests to see how Git web interfaces like GitHub and GitLab work exactly detect bugs.
This repository is mirrored at:
The SSH of those repos can be found at: remotes.sh, including other repos which don’t have public view like Atlas.
Tests that are very large will not be included here to keep this repository small:
There are also some tests that could not be included here conveniently:
Other similar repos from other people:
The most interesting files on this repository are:
issue-markdown.md: test the markdown on issues
filename/: weird stuff and attacks based on the filenames
The only filenames which are not valid are:
/.git. and .., but not ...Everything else goes:
<script src="data:text;utf8,alert('xss')">Symlinks:
Interesting branches and tags:
hasslash/a: branch inside sub-directory
-r: branch with forbidden name, and in particular one that may be used for shell injection.
<script>alert('xss')</script> and <b>a</b>: XSS attempts
Create manually with cp master -- -r and push with git push --all.
tag-empty-blob: a tag that points to a blob
a;{echo,INJECTION};{echo,RULZ};: GitHub proposes a shell injection to users on a pull request under “You can also merge branches on the command line”. https://github.com/cirosantilli/test/pull/17