Codestin Search App

Tests to see how Git web interfaces like GitHub and GitLab work exactly detect bugs.

This repository is mirrored at:

The SSH of those repos can be found at: remotes.sh, including other repos which don't have public view like Atlas.

Tests that are very large will not be included here to keep this repository small:

There are also some tests that could not be included here conveniently:

Other similar repos from other people:

https://github.com/joernchen/evil_stuff

The most interesting files on this repository are:

md.md
issue-md.md: test the markdown on issues
Weird stuff and attacks based on the filenames.

The only filenames which are not valid are:
- contain forward slash /
- .git
- . and .., but not ...
Everything else goes:
- ?a=b&c=d
- "
- '
- #
- ;
- :
- -start-with-slash
- <script>
- <script src="data:text;utf8,alert('xss')">
- back\slash
- whitespace filename edge cases:
  - single whitespace filename
  - double whitespace directory name and its README
  - [a b](a b)
Git directory inside Git directory: _git.

For further mischief, same files were copied on the top-level of the repository.

Interesting branches and tags:

hasslash/a: branch inside sub-directory
-r: branch with forbidden name, and in particular one that may be used for shell injection.
<script>alert('xss')</script> and <b>a</b>: XSS attempts

Create manually with cp master -- -r and push with git push --all.
tag-empty-blob: a tag that points to a blob
a;{echo,INJECTION};{echo,RULZ};: GitHub proposes a shell injection to users on a pull request under "You can also merge branches on the command line". #17

Name		Name	Last commit message	Last commit date
Latest commit History 159 Commits
Sorry, we had to truncate this directory to 1,000 files. 2 entries were omitted from the list.
_git		_git
d		d
objects		objects
refs/heads		refs/heads
"		"
";alert("xss");"		";alert("xss");"
#		#
'		'
';alert("xss");'		';alert("xss");'
-start-with-slash		-start-with-slash
.*		.*
...		...
.drone.yml		.drone.yml
:		:
;		;
;alert("xss");		;alert("xss");
;alert('xss');		;alert('xss');
<script src="data:text;utf8,alert('xss')">		<script src="data:text;utf8,alert('xss')">
<script>		<script>
<script>alert('xss')		<script>alert('xss')
<script>alert('xss');		<script>alert('xss');
?a=b&c=d		?a=b&c=d
HEAD		HEAD
README.md		README.md
VERSION		VERSION
a b		a b
a.atom		a.atom
a.csv		a.csv
a.git		a.git
a.json		a.json
a.rb		a.rb
a.rdoc		a.rdoc
back\slash		back\slash
by-linus.md		by-linus.md
conflict.md		conflict.md
deface.md		deface.md
diff		diff
diff-highlight-adjacent.md		diff-highlight-adjacent.md
diff-last-line.md		diff-last-line.md
diff-visibility.md		diff-visibility.md
diff.md		diff.md
empty		empty
end-in-dot-git.git		end-in-dot-git.git
executable		executable
gif.gif		gif.gif
hard-tabs.c		hard-tabs.c
html-fragment.html		html-fragment.html
html.html		html.html
issue-md.md		issue-md.md
javascript:alert('xss')		javascript:alert('xss')
jpg.jpg		jpg.jpg
long-chinese-commit-msg		long-chinese-commit-msg
long-commit-msg		long-commit-msg
md.md		md.md
no-preview		no-preview
noext		noext
ordered-list-with-list-bug.md		ordered-list-with-list-bug.md
pdf.pdf		pdf.pdf
png-noext		png-noext
png.png		png.png
remotes.sh		remotes.sh
svg.svg		svg.svg
sym-abs-fstab		sym-abs-fstab
sym-abs-fstab.md		sym-abs-fstab.md
sym-dot		sym-dot
sym-git-config		sym-git-config
sym-readme		sym-readme
sym-up		sym-up
txt.txt		txt.txt
utf8-中文		utf8-中文

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

About

Releases 3

Packages

Contributors 3

Languages

cirosantilli/test-git-web-interface

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Stars

Watchers

Forks

Releases 3

Packages 0

Contributors 3

Languages

Packages