web/forgejo
8
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-02-23 03:45:47 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

chore: remove illegal git usage

Browse source 
This is no longer possible in future go-git versions, so lets hardcode it

(cherry picked from commit 58ee57d5f2e547ba0786b2b5ebe87caa3ca545d5)
This commit is contained in:
Gusted 2025-01-08 04:35:32 +01:00
parent 9651e9d002
commit 1c825edb1a
No known key found for this signature in database
GPG key ID: FD821B732837125F
7 changed files with 44 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
routers/web/repo/wiki_test.go
View file

@ -86,7 +86,7 @@ func TestWiki(t *testing.T) {
Wiki(ctx) Wiki(ctx)
assert.EqualValues(t, http.StatusOK, ctx.Resp.Status()) assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
assert.EqualValues(t, "Home", ctx.Data["Title"]) assert.EqualValues(t, "Home", ctx.Data["Title"])
assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"]) assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
} }
func TestWikiPages(t *testing.T) { func TestWikiPages(t *testing.T) {
@ -96,7 +96,7 @@ func TestWikiPages(t *testing.T) {
contexttest.LoadRepo(t, ctx, 1) contexttest.LoadRepo(t, ctx, 1)
WikiPages(ctx) WikiPages(ctx)
assert.EqualValues(t, http.StatusOK, ctx.Resp.Status()) assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"]) assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
} }
func TestNewWiki(t *testing.T) { func TestNewWiki(t *testing.T) {

BIN
tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/33/d12aaaf988976c9dbd0fed80107d34a3b7c333 Normal file
View file

Binary file not shown.

BIN
tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/a6/dc41d9e96df65286a79f5625ec51635e47f752 Normal file
View file

Binary file not shown.

BIN
tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/f5/2e5fe33420747668efc24fc03d44145db864bb Normal file
View file

Binary file not shown.

2
tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master
View file

@ -1 +1 @@
0dca5bd9b5d7ef937710e056f575e86c0184ba85 33d12aaaf988976c9dbd0fed80107d34a3b7c333

23
tests/integration/api_wiki_test.go
View file

@ -198,6 +198,29 @@ func TestAPIListWikiPages(t *testing.T) {
Message: "add unescaped file\n", Message: "add unescaped file\n",
}, },
}, },
{
Title: "XSS",
HTMLURL: meta[4].HTMLURL,
SubURL: "XSS",
LastCommit: &api.WikiCommit{
ID: "33d12aaaf988976c9dbd0fed80107d34a3b7c333",
Author: &api.CommitUser{
Identity: api.Identity{
Name: "Gusted<script class=\"evil\">alert('Oh no!');</script>",
Email: "valid@example.org",
},
Date: "2024-01-31T00:00:00Z",
},
Committer: &api.CommitUser{
Identity: api.Identity{
Name: "Gusted<script class=\"evil\">alert('Oh no!');</script>",
Email: "valid@example.org",
},
Date: "2024-01-31T00:00:00Z",
},
Message: "Yay XSS",
},
},
} }
assert.Equal(t, dummymeta, meta) assert.Equal(t, dummymeta, meta)

82
tests/integration/xss_test.go
View file

@ -4,25 +4,16 @@
package integration package integration
import ( import (
"context"
"fmt" "fmt"
"net/http" "net/http"
"net/url"
"os"
"path/filepath"
"testing" "testing"
"time"
issues_model "code.gitea.io/gitea/models/issues" issues_model "code.gitea.io/gitea/models/issues"
"code.gitea.io/gitea/models/unittest" "code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/tests" "code.gitea.io/gitea/tests"
gogit "github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
) )
func TestXSSUserFullName(t *testing.T) { func TestXSSUserFullName(t *testing.T) {
@ -50,67 +41,30 @@ func TestXSSUserFullName(t *testing.T) {
} }
func TestXSSWikiLastCommitInfo(t *testing.T) { func TestXSSWikiLastCommitInfo(t *testing.T) {
onGiteaRun(t, func(t *testing.T, u *url.URL) { defer tests.PrepareTestEnv(t)()
// Prepare the environment.
dstPath := t.TempDir()
r := fmt.Sprintf("%suser2/repo1.wiki.git", u.String())
u, err := url.Parse(r)
require.NoError(t, err)
u.User = url.UserPassword("user2", userPassword)
require.NoError(t, git.CloneWithArgs(context.Background(), git.AllowLFSFiltersArgs(), u.String(), dstPath, git.CloneRepoOptions{}))
// Use go-git here, because using git wouldn't work, it has code to remove // Check on page view.
// `<`, `>` and `\n` in user names. Even though this is permitted and t.Run("Page view", func(t *testing.T) {
// wouldn't result in a error by a Git server. defer tests.PrintCurrentTest(t)()
gitRepo, err := gogit.PlainOpen(dstPath)
require.NoError(t, err)
w, err := gitRepo.Worktree() req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS")
require.NoError(t, err) resp := MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
filename := filepath.Join(dstPath, "Home.md") htmlDoc.AssertElement(t, "script.evil", false)
err = os.WriteFile(filename, []byte("Oh, a XSS attack?"), 0o644) assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
require.NoError(t, err) })
_, err = w.Add("Home.md") // Check on revisions page.
require.NoError(t, err) t.Run("Revision page", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
_, err = w.Commit("Yay XSS", &gogit.CommitOptions{ req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS?action=_revision")
Author: &object.Signature{ resp := MakeRequest(t, req, http.StatusOK)
Name: `Gusted<script class="evil">alert('Oh no!');</script>`, htmlDoc := NewHTMLParser(t, resp.Body)
Email: "valid@example.org",
When: time.Date(2024, time.January, 31, 0, 0, 0, 0, time.UTC),
},
})
require.NoError(t, err)
// Push. htmlDoc.AssertElement(t, "script.evil", false)
_, _, err = git.NewCommand(git.DefaultContext, "push").AddArguments(git.ToTrustedCmdArgs([]string{"origin", "master"})...).RunStdString(&git.RunOpts{Dir: dstPath}) assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
require.NoError(t, err)
// Check on page view.
t.Run("Page view", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home")
resp := MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
htmlDoc.AssertElement(t, "script.evil", false)
assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
})
// Check on revisions page.
t.Run("Revision page", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home?action=_revision")
resp := MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
htmlDoc.AssertElement(t, "script.evil", false)
assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
})
}) })
} }