mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-11-04 00:11:04 +00:00
5ac2c0a2ba
Followup to https://codeberg.org/forgejo/forgejo/pulls/2364 Replaces https://codeberg.org/forgejo/forgejo/pulls/7666 Fix multiple issues with the original implementation: * `SyncFork` web handler used `{branch}` as a parameter, so it failed for branches with `/` in names * Originally I switched it to use `*` like other branch web handlers, but I found that it was easier to move it out from URL to POST request values * Security: `SyncFork` web handler was using GET method, so just visiting the link was enough to execute the action * It was switched to POST done via form with CSRF, which also allowed to put branch name in it's values * Security: in template, branch name was not escaped but rendered with `SafeHTML`, allowing for rendering fun characters like `&` and for script execution. Also the link was not escaped correctly and would be leading to 404 * To avoid having to change all translations, only the branch name+link part was changed and is now escaped with `HTMLFormat` before being passed to TrN Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7740 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>
152 lines
5.8 KiB
Go
152 lines
5.8 KiB
Go
// Copyright 2025 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"testing"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
repo_model "forgejo.org/models/repo"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
api "forgejo.org/modules/structs"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func syncForkTest(t *testing.T, forkName, branchName string, webSync bool) {
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 20})
|
|
|
|
baseRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
|
baseUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: baseRepo.OwnerID})
|
|
|
|
session := loginUser(t, user.Name)
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
|
|
|
// Create a new fork
|
|
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/forks", baseRepo.FullName()), &api.CreateForkOption{Name: &forkName}).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusAccepted)
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/sync_fork/%s", user.Name, forkName, branchName).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var syncForkInfo *api.SyncForkInfo
|
|
DecodeJSON(t, resp, &syncForkInfo)
|
|
|
|
// This is a new fork, so the commits in both branches should be the same
|
|
assert.False(t, syncForkInfo.Allowed)
|
|
assert.Equal(t, syncForkInfo.BaseCommit, syncForkInfo.ForkCommit)
|
|
|
|
// Make a commit on the base branch
|
|
err := createOrReplaceFileInBranch(baseUser, baseRepo, "sync_fork.txt", branchName, "Hello")
|
|
require.NoError(t, err)
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/sync_fork/%s", user.Name, forkName, branchName).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
|
|
DecodeJSON(t, resp, &syncForkInfo)
|
|
|
|
// The commits should no longer be the same and we can sync
|
|
assert.True(t, syncForkInfo.Allowed)
|
|
assert.NotEqual(t, syncForkInfo.BaseCommit, syncForkInfo.ForkCommit)
|
|
|
|
// Sync the fork
|
|
if webSync {
|
|
session.MakeRequest(t, NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/sync_fork", user.Name, forkName), map[string]string{
|
|
"_csrf": GetCSRF(t, session, fmt.Sprintf("/%s/%s", user.Name, forkName)),
|
|
"branch": branchName,
|
|
}), http.StatusSeeOther)
|
|
} else {
|
|
req = NewRequestf(t, "POST", "/api/v1/repos/%s/%s/sync_fork/%s", user.Name, forkName, branchName).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
}
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/sync_fork/%s", user.Name, forkName, branchName).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
|
|
DecodeJSON(t, resp, &syncForkInfo)
|
|
|
|
// After the sync both commits should be the same again
|
|
assert.False(t, syncForkInfo.Allowed)
|
|
assert.Equal(t, syncForkInfo.BaseCommit, syncForkInfo.ForkCommit)
|
|
}
|
|
|
|
func TestAPIRepoSyncForkDefault(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, u *url.URL) {
|
|
syncForkTest(t, "SyncForkDefault", "master", false)
|
|
})
|
|
}
|
|
|
|
func TestAPIRepoSyncForkBranch(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, u *url.URL) {
|
|
syncForkTest(t, "SyncForkBranch", "master", false)
|
|
})
|
|
}
|
|
|
|
func TestWebRepoSyncForkBranch(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, u *url.URL) {
|
|
syncForkTest(t, "SyncForkBranch", "master", true)
|
|
})
|
|
}
|
|
|
|
func TestWebRepoSyncForkHomepage(t *testing.T) {
|
|
onGiteaRun(t, func(t *testing.T, u *url.URL) {
|
|
baseRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
|
baseOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: baseRepo.OwnerID})
|
|
baseOwnerSession := loginUser(t, baseOwner.Name)
|
|
|
|
forkOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 20})
|
|
forkOwnerSession := loginUser(t, forkOwner.Name)
|
|
token := getTokenForLoggedInUser(t, forkOwnerSession, auth_model.AccessTokenScopeWriteRepository)
|
|
|
|
forkName := "SyncForkHomepage"
|
|
forkLink := fmt.Sprintf("/%s/%s", forkOwner.Name, forkName)
|
|
branchName := "<script>alert('0ko')</script>&"
|
|
branchHTMLEscaped := "<script>alert('0ko')</script>&amp;"
|
|
branchURLEscaped := "%3Cscript%3Ealert%28%270ko%27%29%3C/script%3E&amp%3B"
|
|
|
|
// Rename branch "master" to test name escaping in the UI
|
|
baseOwnerSession.MakeRequest(t, NewRequestWithValues(t, "POST",
|
|
"/user2/repo1/settings/rename_branch", map[string]string{
|
|
"_csrf": GetCSRF(t, baseOwnerSession, "/user2/repo1/branches"),
|
|
"from": "master",
|
|
"to": branchName,
|
|
}), http.StatusSeeOther)
|
|
|
|
// Create a new fork
|
|
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/forks", baseRepo.FullName()), &api.CreateForkOption{Name: &forkName}).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusAccepted)
|
|
|
|
// Make a commit on the base branch
|
|
err := createOrReplaceFileInBranch(baseOwner, baseRepo, "sync_fork.txt", branchName, "Hello")
|
|
require.NoError(t, err)
|
|
|
|
doc := NewHTMLParser(t, forkOwnerSession.MakeRequest(t,
|
|
NewRequest(t, "GET", forkLink), http.StatusOK).Body)
|
|
|
|
// Verify correct URL escaping of branch name in the form
|
|
form := doc.Find("#sync_fork_msg form")
|
|
assert.Equal(t, 1, form.Length())
|
|
updateLink, exists := form.Attr("action")
|
|
assert.True(t, exists)
|
|
|
|
// Verify correct escaping of branch name in the message
|
|
raw, _ := doc.Find("#sync_fork_msg").Html()
|
|
assert.Contains(t, raw, fmt.Sprintf(`This branch is 1 commit behind <a href="http://localhost:%s/user2/repo1/src/branch/%s">user2/repo1:%s</a>`,
|
|
u.Port(), branchURLEscaped, branchHTMLEscaped))
|
|
|
|
// Verify that the form link doesn't do anything for a GET request
|
|
forkOwnerSession.MakeRequest(t, NewRequest(t, "GET", updateLink), http.StatusMethodNotAllowed)
|
|
|
|
// Verify that the form link does not error out
|
|
forkOwnerSession.MakeRequest(t, NewRequestWithValues(t, "POST", updateLink, map[string]string{
|
|
"_csrf": GetCSRF(t, forkOwnerSession, forkLink),
|
|
"branch": branchName,
|
|
}), http.StatusSeeOther)
|
|
})
|
|
}
|