web/forgejo
10
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Enforce token on api routes [fixed critical security issue #4357] (#4840)

Browse source
This commit is contained in:
B-OnTheGo 2018-09-11 02:15:52 +10:00 committed by techknowlogick
parent 387a4b09c1
commit e47df0b301
17 changed files with 131 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

16
integrations/integration_test.go
View file

@ -223,6 +223,22 @@ func loginUserWithPassword(t testing.TB, userName, password string) *TestSession
return session
}
func getTokenForLoggedInUser(t testing.TB, session *TestSession) string {
req := NewRequest(t, "GET", "/user/settings/applications")
resp := session.MakeRequest(t, req, http.StatusOK)
doc := NewHTMLParser(t, resp.Body)
req = NewRequestWithValues(t, "POST", "/user/settings/applications", map[string]string{
"_csrf": doc.GetCSRF(),
"name": "api-testing-token",
})
resp = session.MakeRequest(t, req, http.StatusFound)
req = NewRequest(t, "GET", "/user/settings/applications")
resp = session.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
token := htmlDoc.doc.Find(".ui.info p").Text()
return token
}
func NewRequest(t testing.TB, method, urlStr string) *http.Request {
return NewRequestWithBody(t, method, urlStr, nil)
}