add /.well-known/security.txt endpoint

resolves #38 adds RFC 9116 machine parsable File Format to Aid in Security Vulnerability Disclosure
2023-06-27 03:43:33 +03:00 · 2023-06-27 03:43:33 +03:00 · 8ab1f8375c
commit 8ab1f8375c
parent efc17a6d3c
4 changed files with 83 additions and 0 deletions
--- a/routers/web/security_txt_test.go
+++ b/routers/web/security_txt_test.go
@ -0,0 +1,57 @@
+// Copyright 2023 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package web
+
+import (
+	"regexp"
+	"testing"
+	"time"
+)
+
+func extractLines(message, pattern string) []string {
+	ptn := regexp.MustCompile(pattern)
+	return ptn.FindAllString(message, -1)
+}
+
+func TestSecurityTxt(t *testing.T) {
+	// Contact: is required and value MUST be https:// or mailto:
+	{
+		contacts := extractLines(securityTxtContent, `(?m:^Contact: .+$)`)
+		if contacts == nil {
+			t.Error("Error: \"Contact: \" field is required")
+		}
+		for _, contact := range contacts {
+			match, err := regexp.MatchString("Contact: (https:)|(mailto:)", contact)
+			if !match {
+				t.Error("Error in line ", contact, "\n\"Contact:\" field have incorrect format")
+			}
+			if err != nil {
+				t.Error("Error in line ", contact, err)
+			}
+		}
+	}
+	// Expires is required
+	{
+		expires := extractLines(securityTxtContent, `(?m:^Expires: .+$)`)
+		if expires == nil {
+			t.Error("Error: \"Expires: \" field is required")
+		}
+		if len(expires) != 1 {
+			t.Error("Error: \"Expires: \" MUST be single")
+		}
+		expRe := regexp.MustCompile(`Expires: (.*)`)
+		expSlice := expRe.FindStringSubmatch(expires[0])
+		if len(expSlice) != 2 {
+			t.Error("Error: \"Expires: \" have no value")
+		}
+		expValue := expSlice[1]
+		expTime, err := time.Parse(time.RFC3339, expValue)
+		if err != nil {
+			t.Error("Error parsing Expires value", expValue, err)
+		}
+		if time.Now().AddDate(0, 2, 0).After(expTime) {
+			t.Error("Error: Expires date time almost in the past", expTime)
+		}
+	}
+}