mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-26 20:11:02 +00:00 
			
		
		
		
	Related to #2773 Related to Refactor URL detection [gitea#29960](https://github.com/go-gitea/gitea/pull/29960) Related to Refactor external URL detection [gitea#29973](https://github.com/go-gitea/gitea/pull/29973) I added a bunch of tests to `httplib.TestIsRiskyRedirectURL` and some cases should be better handled (however it is not an easy task). I also ported the removal of `utils.IsExternalURL`, since it prevents duplicated (subtle) code. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3167 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: oliverpool <git@olivier.pfad.fr> Co-committed-by: oliverpool <git@olivier.pfad.fr>
		
			
				
	
	
		
			123 lines
		
	
	
	
		
			3.4 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			123 lines
		
	
	
	
		
			3.4 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2023 The Gitea Authors. All rights reserved.
 | |
| // SPDX-License-Identifier: MIT
 | |
| 
 | |
| package httplib
 | |
| 
 | |
| import (
 | |
| 	"testing"
 | |
| 
 | |
| 	"code.gitea.io/gitea/modules/setting"
 | |
| 	"code.gitea.io/gitea/modules/test"
 | |
| 
 | |
| 	"github.com/stretchr/testify/assert"
 | |
| )
 | |
| 
 | |
| func TestIsRiskyRedirectURL(t *testing.T) {
 | |
| 	defer test.MockVariableValue(&setting.AppURL, "http://localhost:3000/sub/")()
 | |
| 	defer test.MockVariableValue(&setting.AppSubURL, "/sub")()
 | |
| 
 | |
| 	tests := []struct {
 | |
| 		input string
 | |
| 		want  bool
 | |
| 	}{
 | |
| 		{"", false},
 | |
| 		{"foo", false},
 | |
| 		{"./", false},
 | |
| 		{"?key=val", false},
 | |
| 		{"/sub/", false},
 | |
| 		{"http://localhost:3000/sub/", false},
 | |
| 		{"/sub/foo", false},
 | |
| 		{"http://localhost:3000/sub/foo", false},
 | |
| 		{"http://localhost:3000/sub/test?param=false", false},
 | |
| 		// FIXME: should probably be true (would requires resolving references using setting.appURL.ResolveReference(u))
 | |
| 		{"/sub/../", false},
 | |
| 		{"http://localhost:3000/sub/../", false},
 | |
| 		{"/sUb/", false},
 | |
| 		{"http://localhost:3000/sUb/foo", false},
 | |
| 		{"/sub", false},
 | |
| 		{"/foo?k=%20#abc", false},
 | |
| 		{"/", false},
 | |
| 		{"a/", false},
 | |
| 		{"test?param=false", false},
 | |
| 		{"/hey/hey/hey#3244", false},
 | |
| 
 | |
| 		{"//", true},
 | |
| 		{"\\\\", true},
 | |
| 		{"/\\", true},
 | |
| 		{"\\/", true},
 | |
| 		{"mail:a@b.com", true},
 | |
| 		{"https://test.com", true},
 | |
| 		{"http://localhost:3000/foo", true},
 | |
| 		{"http://localhost:3000/sub", true},
 | |
| 		{"http://localhost:3000/sub?key=val", true},
 | |
| 		{"https://example.com/", true},
 | |
| 		{"//example.com", true},
 | |
| 		{"http://example.com", true},
 | |
| 		{"http://localhost:3000/test?param=false", true},
 | |
| 		{"//localhost:3000/test?param=false", true},
 | |
| 		{"://missing protocol scheme", true},
 | |
| 		// FIXME: should probably be false
 | |
| 		{"//localhost:3000/sub/test?param=false", true},
 | |
| 	}
 | |
| 	for _, tt := range tests {
 | |
| 		t.Run(tt.input, func(t *testing.T) {
 | |
| 			assert.Equal(t, tt.want, IsRiskyRedirectURL(tt.input))
 | |
| 		})
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestIsRiskyRedirectURLWithoutSubURL(t *testing.T) {
 | |
| 	defer test.MockVariableValue(&setting.AppURL, "https://next.forgejo.org/")()
 | |
| 	defer test.MockVariableValue(&setting.AppSubURL, "")()
 | |
| 
 | |
| 	tests := []struct {
 | |
| 		input string
 | |
| 		want  bool
 | |
| 	}{
 | |
| 		{"", false},
 | |
| 		{"foo", false},
 | |
| 		{"./", false},
 | |
| 		{"?key=val", false},
 | |
| 		{"/sub/", false},
 | |
| 		{"https://next.forgejo.org/sub/", false},
 | |
| 		{"/sub/foo", false},
 | |
| 		{"https://next.forgejo.org/sub/foo", false},
 | |
| 		{"https://next.forgejo.org/sub/test?param=false", false},
 | |
| 		{"https://next.forgejo.org/sub/../", false},
 | |
| 		{"/sub/../", false},
 | |
| 		{"/sUb/", false},
 | |
| 		{"https://next.forgejo.org/sUb/foo", false},
 | |
| 		{"/sub", false},
 | |
| 		{"/foo?k=%20#abc", false},
 | |
| 		{"/", false},
 | |
| 		{"a/", false},
 | |
| 		{"test?param=false", false},
 | |
| 		{"/hey/hey/hey#3244", false},
 | |
| 		{"https://next.forgejo.org/test?param=false", false},
 | |
| 		{"https://next.forgejo.org/foo", false},
 | |
| 		{"https://next.forgejo.org/sub", false},
 | |
| 		{"https://next.forgejo.org/sub?key=val", false},
 | |
| 
 | |
| 		{"//", true},
 | |
| 		{"\\\\", true},
 | |
| 		{"/\\", true},
 | |
| 		{"\\/", true},
 | |
| 		{"mail:a@b.com", true},
 | |
| 		{"https://test.com", true},
 | |
| 		{"https://example.com/", true},
 | |
| 		{"//example.com", true},
 | |
| 		{"http://example.com", true},
 | |
| 		{"://missing protocol scheme", true},
 | |
| 		{"https://forgejo.org", true},
 | |
| 		{"https://example.org?url=https://next.forgejo.org", true},
 | |
| 		// FIXME: should probably be false
 | |
| 		{"https://next.forgejo.org", true},
 | |
| 		{"//next.forgejo.org/test?param=false", true},
 | |
| 		{"//next.forgejo.org/sub/test?param=false", true},
 | |
| 	}
 | |
| 	for _, tt := range tests {
 | |
| 		t.Run(tt.input, func(t *testing.T) {
 | |
| 			assert.Equal(t, tt.want, IsRiskyRedirectURL(tt.input))
 | |
| 		})
 | |
| 	}
 | |
| }
 |