web/forgejo
10
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Enforce token on api routes [fixed critical security issue #4357] (#4840)

Browse source
This commit is contained in:
B-OnTheGo 2018-09-11 02:15:52 +10:00 committed by techknowlogick
parent 387a4b09c1
commit e47df0b301
17 changed files with 131 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

10
integrations/api_releases_test.go
View file

@ -22,7 +22,7 @@ func TestAPICreateRelease(t *testing.T) {
repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
session := loginUser(t, owner.LowerName)
token := getTokenForLoggedInUser(t, session)
gitRepo, err := git.OpenRepository(repo.RepoPath())
assert.NoError(t, err)
@ -32,8 +32,8 @@ func TestAPICreateRelease(t *testing.T) {
commitID, err := gitRepo.GetTagCommitID("v0.0.1")
assert.NoError(t, err)
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases",
owner.Name, repo.Name)
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/releases?token=%s",
owner.Name, repo.Name, token)
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateReleaseOption{
TagName: "v0.0.1",
Title: "v0.0.1",
@ -53,8 +53,8 @@ func TestAPICreateRelease(t *testing.T) {
Note: newRelease.Note,
})
urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d",
owner.Name, repo.Name, newRelease.ID)
urlStr = fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d?token=%s",
owner.Name, repo.Name, newRelease.ID, token)
req = NewRequest(t, "GET", urlStr)
resp = session.MakeRequest(t, req, http.StatusOK)