domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

[SECURITY] Test XSS in dismissed review

Browse source 
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
This commit is contained in:
Gusted 2024-01-18 00:18:39 +01:00 committed by Earl Warren
parent fe2df46d05
commit d3de80b9cc
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
3 changed files with 32 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
tests/integration/xss_test.go
View file

@ -13,6 +13,7 @@ import (
"testing"
"time"
issues_model "code.gitea.io/gitea/models/issues"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
@ -112,3 +113,17 @@ func TestXSSWikiLastCommitInfo(t *testing.T) {
})
})
}
func TestXSSReviewDismissed(t *testing.T) {
defer tests.AddFixtures("tests/integration/fixtures/TestXSSReviewDismissed/")()
defer tests.PrepareTestEnv(t)()
review := unittest.AssertExistsAndLoadBean(t, &issues_model.Review{ID: 1000})
req := NewRequest(t, http.MethodGet, fmt.Sprintf("/user2/repo1/pulls/%d", +review.IssueID))
resp := MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
htmlDoc.AssertElement(t, "script.evil", false)
assert.Contains(t, htmlDoc.Find("#issuecomment-1000 .dismissed-message").Text(), `dismissed Otto <script class='evil'>alert('Oh no!')</script>s review`)
}