mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-07-18 23:47:50 +00:00
2026-06-10 security patches (#13001)
- fix: prevent stored XSS in user display name on Actions page - fix: LFS locks must belong to the intended repo, port from Gitea - fix: prevent unauthorized access to draft releases via API - fix: prevent writes to OpenID visibility which may affect other users - fix: prevent viewing private PRs that are linked to public issues on public projects Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13001 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Beowulf <beowulf@beocode.eu>
This commit is contained in:
parent
4e992341a0
commit
4b83448b7d
20 changed files with 407 additions and 36 deletions
|
|
@ -288,6 +288,106 @@ func TestAPIReleaseGetDraftByTag(t *testing.T) {
|
|||
assert.NotEmpty(t, err.Message)
|
||||
}
|
||||
|
||||
func TestAPIReleaseGet(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
t.Run("draft release, no permission", func(t *testing.T) {
|
||||
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
|
||||
RepoID: repo.ID,
|
||||
TagName: "draft-release",
|
||||
})
|
||||
assert.True(t, rel.IsDraft)
|
||||
assert.False(t, rel.IsTag) // wouldn't test the CanWrite(TypeReleases) check for the draft, if this were the case
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d", repo.OwnerName, repo.Name, rel.ID))
|
||||
resp := MakeRequest(t, req, http.StatusNotFound)
|
||||
var err *api.APIError
|
||||
DecodeJSON(t, resp, &err)
|
||||
assert.NotEmpty(t, err.Message)
|
||||
})
|
||||
|
||||
t.Run("draft release, w/ permission", func(t *testing.T) {
|
||||
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
|
||||
RepoID: repo.ID,
|
||||
TagName: "draft-release",
|
||||
})
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d", repo.OwnerName, repo.Name, rel.ID)).
|
||||
AddTokenAuth(token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var apiRelease *api.Release
|
||||
DecodeJSON(t, resp, &apiRelease)
|
||||
assert.Equal(t, rel.TagName, apiRelease.TagName)
|
||||
})
|
||||
|
||||
t.Run("published release", func(t *testing.T) {
|
||||
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
|
||||
RepoID: repo.ID,
|
||||
TagName: "v1.1",
|
||||
})
|
||||
assert.False(t, rel.IsDraft)
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d", repo.OwnerName, repo.Name, rel.ID))
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var apiRelease *api.Release
|
||||
DecodeJSON(t, resp, &apiRelease)
|
||||
assert.Equal(t, rel.TagName, apiRelease.TagName)
|
||||
})
|
||||
}
|
||||
|
||||
func TestAPIReleaseGetAssets(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
t.Run("draft release, no permission", func(t *testing.T) {
|
||||
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
|
||||
RepoID: repo.ID,
|
||||
TagName: "draft-release",
|
||||
})
|
||||
assert.True(t, rel.IsDraft)
|
||||
assert.False(t, rel.IsTag) // wouldn't test the CanWrite(TypeReleases) check for the draft, if this were the case
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", repo.OwnerName, repo.Name, rel.ID))
|
||||
resp := MakeRequest(t, req, http.StatusNotFound)
|
||||
var err *api.APIError
|
||||
DecodeJSON(t, resp, &err)
|
||||
assert.NotEmpty(t, err.Message)
|
||||
})
|
||||
|
||||
t.Run("draft release, w/ permission", func(t *testing.T) {
|
||||
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
|
||||
RepoID: repo.ID,
|
||||
TagName: "draft-release",
|
||||
})
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", repo.OwnerName, repo.Name, rel.ID)).
|
||||
AddTokenAuth(token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var attach []*api.Attachment
|
||||
DecodeJSON(t, resp, &attach)
|
||||
assert.Empty(t, attach)
|
||||
})
|
||||
|
||||
t.Run("published release", func(t *testing.T) {
|
||||
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
|
||||
RepoID: repo.ID,
|
||||
TagName: "v1.1",
|
||||
})
|
||||
assert.False(t, rel.IsDraft)
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", repo.OwnerName, repo.Name, rel.ID))
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var attach []*api.Attachment
|
||||
DecodeJSON(t, resp, &attach)
|
||||
assert.Len(t, attach, 1)
|
||||
})
|
||||
}
|
||||
|
||||
func TestAPIReleaseDeleteByTagName(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue