mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-11-04 08:21:11 +00:00
16879b07d2
Related to #2773 Related to Refactor URL detection [gitea#29960](https://github.com/go-gitea/gitea/pull/29960) Related to Refactor external URL detection [gitea#29973](https://github.com/go-gitea/gitea/pull/29973) I added a bunch of tests to `httplib.TestIsRiskyRedirectURL` and some cases should be better handled (however it is not an easy task). I also ported the removal of `utils.IsExternalURL`, since it prevents duplicated (subtle) code. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3167 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: oliverpool <git@olivier.pfad.fr> Co-committed-by: oliverpool <git@olivier.pfad.fr>
123 lines
3.4 KiB
Go
123 lines
3.4 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package httplib
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/test"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestIsRiskyRedirectURL(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.AppURL, "http://localhost:3000/sub/")()
|
|
defer test.MockVariableValue(&setting.AppSubURL, "/sub")()
|
|
|
|
tests := []struct {
|
|
input string
|
|
want bool
|
|
}{
|
|
{"", false},
|
|
{"foo", false},
|
|
{"./", false},
|
|
{"?key=val", false},
|
|
{"/sub/", false},
|
|
{"http://localhost:3000/sub/", false},
|
|
{"/sub/foo", false},
|
|
{"http://localhost:3000/sub/foo", false},
|
|
{"http://localhost:3000/sub/test?param=false", false},
|
|
// FIXME: should probably be true (would requires resolving references using setting.appURL.ResolveReference(u))
|
|
{"/sub/../", false},
|
|
{"http://localhost:3000/sub/../", false},
|
|
{"/sUb/", false},
|
|
{"http://localhost:3000/sUb/foo", false},
|
|
{"/sub", false},
|
|
{"/foo?k=%20#abc", false},
|
|
{"/", false},
|
|
{"a/", false},
|
|
{"test?param=false", false},
|
|
{"/hey/hey/hey#3244", false},
|
|
|
|
{"//", true},
|
|
{"\\\\", true},
|
|
{"/\\", true},
|
|
{"\\/", true},
|
|
{"mail:a@b.com", true},
|
|
{"https://test.com", true},
|
|
{"http://localhost:3000/foo", true},
|
|
{"http://localhost:3000/sub", true},
|
|
{"http://localhost:3000/sub?key=val", true},
|
|
{"https://example.com/", true},
|
|
{"//example.com", true},
|
|
{"http://example.com", true},
|
|
{"http://localhost:3000/test?param=false", true},
|
|
{"//localhost:3000/test?param=false", true},
|
|
{"://missing protocol scheme", true},
|
|
// FIXME: should probably be false
|
|
{"//localhost:3000/sub/test?param=false", true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.input, func(t *testing.T) {
|
|
assert.Equal(t, tt.want, IsRiskyRedirectURL(tt.input))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsRiskyRedirectURLWithoutSubURL(t *testing.T) {
|
|
defer test.MockVariableValue(&setting.AppURL, "https://next.forgejo.org/")()
|
|
defer test.MockVariableValue(&setting.AppSubURL, "")()
|
|
|
|
tests := []struct {
|
|
input string
|
|
want bool
|
|
}{
|
|
{"", false},
|
|
{"foo", false},
|
|
{"./", false},
|
|
{"?key=val", false},
|
|
{"/sub/", false},
|
|
{"https://next.forgejo.org/sub/", false},
|
|
{"/sub/foo", false},
|
|
{"https://next.forgejo.org/sub/foo", false},
|
|
{"https://next.forgejo.org/sub/test?param=false", false},
|
|
{"https://next.forgejo.org/sub/../", false},
|
|
{"/sub/../", false},
|
|
{"/sUb/", false},
|
|
{"https://next.forgejo.org/sUb/foo", false},
|
|
{"/sub", false},
|
|
{"/foo?k=%20#abc", false},
|
|
{"/", false},
|
|
{"a/", false},
|
|
{"test?param=false", false},
|
|
{"/hey/hey/hey#3244", false},
|
|
{"https://next.forgejo.org/test?param=false", false},
|
|
{"https://next.forgejo.org/foo", false},
|
|
{"https://next.forgejo.org/sub", false},
|
|
{"https://next.forgejo.org/sub?key=val", false},
|
|
|
|
{"//", true},
|
|
{"\\\\", true},
|
|
{"/\\", true},
|
|
{"\\/", true},
|
|
{"mail:a@b.com", true},
|
|
{"https://test.com", true},
|
|
{"https://example.com/", true},
|
|
{"//example.com", true},
|
|
{"http://example.com", true},
|
|
{"://missing protocol scheme", true},
|
|
{"https://forgejo.org", true},
|
|
{"https://example.org?url=https://next.forgejo.org", true},
|
|
// FIXME: should probably be false
|
|
{"https://next.forgejo.org", true},
|
|
{"//next.forgejo.org/test?param=false", true},
|
|
{"//next.forgejo.org/sub/test?param=false", true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.input, func(t *testing.T) {
|
|
assert.Equal(t, tt.want, IsRiskyRedirectURL(tt.input))
|
|
})
|
|
}
|
|
}
|