Skip to content

Ensure GetCSRF doesn't return an empty token #32130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Sep 30, 2024
Merged

Ensure GetCSRF doesn't return an empty token #32130

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
2cbc7d6
test: fix GetCSRF
wolfogre Sep 25, 2024
74cf5a8
test: fix TestCreateAnonymousAttachment
wolfogre Sep 25, 2024
3b07e1f
test: drop csrf token for GET requests
wolfogre Sep 25, 2024
10b2d63
chore: use /explore/repos
wolfogre Sep 25, 2024
9338b41
Revert "chore: use /explore/repos"
wolfogre Sep 25, 2024
60b4259
chore: use different urls
wolfogre Sep 25, 2024
58bc786
chore: improve createAttachment
wolfogre Sep 25, 2024
4c4233d
fix lint
wxiaoguang Sep 25, 2024
0bea254
Merge branch 'main' into bugfix/get_csrf
GiteaBot Sep 28, 2024
7d4d180
Merge branch 'main' into bugfix/get_csrf
GiteaBot Sep 28, 2024
58630f8
Merge branch 'main' into bugfix/get_csrf
GiteaBot Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions tests/integration/attachment_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,15 @@ func createAttachment(t *testing.T, session *TestSession, repoURL, filename stri
err = writer.Close()
assert.NoError(t, err)

csrf := GetCSRF(t, session, repoURL)
var csrf string
// FIXME: It's quite hacky to determine if it's a logged in user or not and use the right URL to get the CSRF token
if expectedStatus == http.StatusSeeOther {
// the session is not logged in
csrf = GetCSRF(t, session, "/user/login")
} else {
// the session is logged in
csrf = GetCSRF(t, session, repoURL)
}

req := NewRequestWithBody(t, "POST", repoURL+"/issues/attachments", body)
req.Header.Add("X-Csrf-Token", csrf)
Expand All @@ -59,8 +67,7 @@ func createAttachment(t *testing.T, session *TestSession, repoURL, filename stri
func TestCreateAnonymousAttachment(t *testing.T) {
defer tests.PrepareTestEnv(t)()
session := emptyTestSession(t)
// this test is not right because it just doesn't pass the CSRF validation
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusBadRequest)
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusSeeOther)
}

func TestCreateIssueAttachment(t *testing.T) {
Expand Down
7 changes: 6 additions & 1 deletion tests/integration/integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ import (

"github.com/PuerkitoBio/goquery"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/xeipuuv/gojsonschema"
)

Expand Down Expand Up @@ -486,12 +487,16 @@ func VerifyJSONSchema(t testing.TB, resp *httptest.ResponseRecorder, schemaFile
}

// GetCSRF returns CSRF token from body
// If it fails, it means the CSRF token is not found in the response body returned by the url with the given session.
// In this case, you should find a better url to get it.
func GetCSRF(t testing.TB, session *TestSession, urlStr string) string {
t.Helper()
req := NewRequest(t, "GET", urlStr)
resp := session.MakeRequest(t, req, http.StatusOK)
doc := NewHTMLParser(t, resp.Body)
return doc.GetCSRF()
csrf := doc.GetCSRF()
require.NotEmpty(t, csrf)
return csrf
}

// GetCSRFFrom returns CSRF token from body
Expand Down
4 changes: 0 additions & 4 deletions tests/integration/org_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,9 +204,7 @@ func TestTeamSearch(t *testing.T) {
var results TeamSearchResults

session := loginUser(t, user.Name)
csrf := GetCSRF(t, session, "/"+org.Name)
req := NewRequestf(t, "GET", "/org/%s/teams/-/search?q=%s", org.Name, "_team")
req.Header.Add("X-Csrf-Token", csrf)
resp := session.MakeRequest(t, req, http.StatusOK)
DecodeJSON(t, resp, &results)
assert.NotEmpty(t, results.Data)
Expand All @@ -217,8 +215,6 @@ func TestTeamSearch(t *testing.T) {
// no access if not organization member
user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
session = loginUser(t, user5.Name)
csrf = GetCSRF(t, session, "/"+org.Name)
req = NewRequestf(t, "GET", "/org/%s/teams/-/search?q=%s", org.Name, "team")
req.Header.Add("X-Csrf-Token", csrf)
session.MakeRequest(t, req, http.StatusNotFound)
}
Loading