From d6548809a92b8f85ccc10d84ea3307d11a67d10e Mon Sep 17 00:00:00 2001
From: Nick Cleaton <nick@cleaton.net>
Date: Fri, 19 Feb 2021 05:14:14 +0000
Subject: [PATCH] Failing tests for
 https://github.com/daethnir/authprogs/issues/11

---
 authprogs/tests/test_authprogs.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/authprogs/tests/test_authprogs.py b/authprogs/tests/test_authprogs.py
index 0236fbd..352bfbf 100644
--- a/authprogs/tests/test_authprogs.py
+++ b/authprogs/tests/test_authprogs.py
@@ -299,6 +299,17 @@ def test_explicitly_denied_scp(self):
         ap = getap('0.0.0.8', 'scp -d -t /etc/passwd')
         self.assertRaises(authprogs.CommandRejected, ap.find_match)
 
+    def test_sneaky_args_scp(self):
+        """Verify SCP rejects attempts to sneak args past it"""
+
+        # sneak past checks via option grouping
+        ap = getap('0.0.0.8', 'scp -df /etc/passwd')
+        self.assertRaises(authprogs.CommandRejected, ap.find_match)
+
+        # run a command via -S
+        ap = getap('0.0.0.8', 'scp -S /path/to/a/program /tmp/foo example.com:.')
+        self.assertRaises(authprogs.CommandRejected, ap.find_match)
+
     def test_recursive_scp(self):
         """Verify recursive tests pass/fail as expected."""
         ap = getap('0.0.0.7', 'scp -r -t -- /tmp')