test: reply (in cli and emacs) should protect indexed sensitive headers

These tests are currently broken!  When a protected subject is indexed
in the clear, it leaks in the reply headers :(

For emacs, we set up separate tests for when the protected header is
indexed in the clear and when it is unindexed.  neither case should
leak, but the former wasn't tested yet.

We will fix the two broken tests in a subsequent patch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
This commit is contained in:
Daniel Kahn Gillmor 2019-05-26 18:16:09 -04:00 committed by David Bremner
parent cd8006886b
commit 06dedd0a83
2 changed files with 52 additions and 0 deletions

View file

@ -99,6 +99,13 @@ output=$(notmuch search --format=json 'id:protected-header@crypto.notmuchmail.or
test_json_nodes <<<"$output" \ test_json_nodes <<<"$output" \
'subject:[0]["subject"]="This is a protected header"' 'subject:[0]["subject"]="This is a protected header"'
test_begin_subtest "indexed protected subject is not visible in reply header"
test_subtest_known_broken
output=$(notmuch reply --format=json 'id:protected-header@crypto.notmuchmail.org')
test_json_nodes <<<"$output" \
'subject:["original"]["headers"]["Subject"]="This is a protected header"' \
'reply-subject:["reply-headers"]["Subject"]="Re: Subject Unavailable"'
test_begin_subtest "verify correct protected header when submessage exists" test_begin_subtest "verify correct protected header when submessage exists"
output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment@crypto.notmuchmail.org) output=$(notmuch show --decrypt=true --format=json id:encrypted-message-with-forwarded-attachment@crypto.notmuchmail.org)
test_json_nodes <<<"$output" \ test_json_nodes <<<"$output" \

View file

@ -51,6 +51,29 @@ This is the sekrit message
EOF EOF
test_expect_equal_file EXPECTED OUTPUT test_expect_equal_file EXPECTED OUTPUT
# notmuch-emacs still leaks the subject line; as long as it leaks the
# subject line, it should emit the external subject, not the protected
# subject, even if it knows what the true subject is:
test_begin_subtest "Reply within emacs to a message with protected headers, not leaking subject"
test_emacs "(let ((message-hidden-headers '()))
(notmuch-show \"id:protected-header@crypto.notmuchmail.org\")
(notmuch-show-reply)
(test-output))"
cat <<EOF >EXPECTED
From: Notmuch Test Suite <test_suite@notmuchmail.org>
To: test_suite@notmuchmail.org
Subject: Re: Subject Unavailable
In-Reply-To: <protected-header@crypto.notmuchmail.org>
Fcc: ${MAIL_DIR}/sent
References: <protected-header@crypto.notmuchmail.org>
--text follows this line--
<#secure method=pgpmime mode=signencrypt>
test_suite@notmuchmail.org writes:
> This is the sekrit message
EOF
test_expect_equal_file EXPECTED OUTPUT
# protected headers should behave differently after re-indexing # protected headers should behave differently after re-indexing
test_begin_subtest 'defaulting to indexing cleartext' test_begin_subtest 'defaulting to indexing cleartext'
test_expect_success 'notmuch config set index.decrypt true' test_expect_success 'notmuch config set index.decrypt true'
@ -67,4 +90,26 @@ End of search results.
EOF EOF
test_expect_equal_file EXPECTED OUTPUT test_expect_equal_file EXPECTED OUTPUT
# notmuch-emacs still leaks the subject line:
test_begin_subtest "don't leak protected subject during reply, even if indexed"
test_subtest_known_broken
test_emacs "(let ((message-hidden-headers '()))
(notmuch-show \"id:protected-header@crypto.notmuchmail.org\")
(notmuch-show-reply)
(test-output))"
cat <<EOF >EXPECTED
From: Notmuch Test Suite <test_suite@notmuchmail.org>
To: test_suite@notmuchmail.org
Subject: Re: Subject Unavailable
In-Reply-To: <protected-header@crypto.notmuchmail.org>
Fcc: ${MAIL_DIR}/sent
References: <protected-header@crypto.notmuchmail.org>
--text follows this line--
<#secure method=pgpmime mode=signencrypt>
test_suite@notmuchmail.org writes:
> This is the sekrit message
EOF
test_expect_equal_file EXPECTED OUTPUT
test_done test_done