domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Enforce token on api routes [fixed critical security issue #4357] (#4840)

Browse source
This commit is contained in:
B-OnTheGo 2018-09-11 02:15:52 +10:00 committed by techknowlogick
parent 387a4b09c1
commit e47df0b301
17 changed files with 131 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

25
integrations/api_repo_test.go
View file

@ -76,7 +76,7 @@ func TestAPISearchRepo(t *testing.T) {
user: {count: 10},
user2: {count: 10}},
},
{name: "RepositoriesDefaultMax10", requestURL: "/api/v1/repos/search", expectedResults: expectedResults{
{name: "RepositoriesDefaultMax10", requestURL: "/api/v1/repos/search?default", expectedResults: expectedResults{
nil: {count: 10},
user: {count: 10},
user2: {count: 10}},
@ -143,9 +143,11 @@ func TestAPISearchRepo(t *testing.T) {
var session *TestSession
var testName string
var userID int64
var token string
if userToLogin != nil && userToLogin.ID > 0 {
testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID)
session = loginUser(t, userToLogin.Name)
token = getTokenForLoggedInUser(t, session)
userID = userToLogin.ID
} else {
testName = "AnonymousUser"
@ -153,7 +155,7 @@ func TestAPISearchRepo(t *testing.T) {
}
t.Run(testName, func(t *testing.T) {
request := NewRequest(t, "GET", testCase.requestURL)
request := NewRequest(t, "GET", testCase.requestURL+"&token="+token)
response := session.MakeRequest(t, request, http.StatusOK)
var body api.SearchResults
@ -214,8 +216,8 @@ func TestAPIOrgRepos(t *testing.T) {
sourceOrg := models.AssertExistsAndLoadBean(t, &models.User{ID: 3}).(*models.User)
// Login as User2.
session := loginUser(t, user.Name)
req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", sourceOrg.Name)
token := getTokenForLoggedInUser(t, session)
req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name)
resp := session.MakeRequest(t, req, http.StatusOK)
var apiRepos []*api.Repository
@ -231,9 +233,10 @@ func TestAPIOrgRepos(t *testing.T) {
func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
prepareTestEnv(t)
user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User)
sess := loginUser(t, user.Name)
req := NewRequestf(t, "GET", "/api/v1/repositories/2")
sess.MakeRequest(t, req, http.StatusNotFound)
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
req := NewRequestf(t, "GET", "/api/v1/repositories/2?token="+token)
session.MakeRequest(t, req, http.StatusNotFound)
}
func TestAPIRepoMigrate(t *testing.T) {
@ -253,8 +256,8 @@ func TestAPIRepoMigrate(t *testing.T) {
for _, testCase := range testCases {
user := models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User)
session := loginUser(t, user.Name)
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOption{
token := getTokenForLoggedInUser(t, session)
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOption{
CloneAddr: testCase.cloneURL,
UID: int(testCase.userID),
RepoName: testCase.repoName,
@ -278,8 +281,8 @@ func TestAPIOrgRepoCreate(t *testing.T) {
for _, testCase := range testCases {
user := models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User)
session := loginUser(t, user.Name)
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos", testCase.orgName), &api.CreateRepoOption{
token := getTokenForLoggedInUser(t, session)
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos?token="+token, testCase.orgName), &api.CreateRepoOption{
Name: testCase.repoName,
})
session.MakeRequest(t, req, testCase.expectedStatus)