summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGusted <williamzijl7@hotmail.com>2021-11-08 16:45:37 +0100
committerGitHub <noreply@github.com>2021-11-08 23:45:37 +0800
commit640f0e1ddf7a5cae8a778e989046e7438067a56c (patch)
tree8d7dd0f745455a9aab4328224f3e5d5755dea8f9
parentebaf4c48ea278955c5d79c5f37a2039ccb3cf775 (diff)
downloadgitea-640f0e1ddf7a5cae8a778e989046e7438067a56c.tar.gz
gitea-640f0e1ddf7a5cae8a778e989046e7438067a56c.zip
Only allow returned deleted branche to be on repo (#17570)
- This will only allow `GetDeletedBranchByID` to return deletedBranch which are on the repo, and thus don't return a deletedBranch from another repo. - This just should prevent possible bugs in the futher when a code is passing the wrong ID into this function.
-rw-r--r--models/branches.go2
-rw-r--r--models/branches_test.go25
2 files changed, 26 insertions, 1 deletions
diff --git a/models/branches.go b/models/branches.go
index 3c62c7a87b..caca9e23fe 100644
--- a/models/branches.go
+++ b/models/branches.go
@@ -536,7 +536,7 @@ func (repo *Repository) GetDeletedBranches() ([]*DeletedBranch, error) {
// GetDeletedBranchByID get a deleted branch by its ID
func (repo *Repository) GetDeletedBranchByID(id int64) (*DeletedBranch, error) {
deletedBranch := &DeletedBranch{}
- has, err := db.GetEngine(db.DefaultContext).ID(id).Get(deletedBranch)
+ has, err := db.GetEngine(db.DefaultContext).Where("repo_id = ?", repo.ID).And("id = ?", id).Get(deletedBranch)
if err != nil {
return nil, err
}
diff --git a/models/branches_test.go b/models/branches_test.go
index f1dcfecfa8..e9a32666f9 100644
--- a/models/branches_test.go
+++ b/models/branches_test.go
@@ -128,3 +128,28 @@ func TestRenameBranch(t *testing.T) {
BranchName: "main",
})
}
+
+func TestOnlyGetDeletedBranchOnCorrectRepo(t *testing.T) {
+ assert.NoError(t, db.PrepareTestDatabase())
+
+ // Get deletedBranch with ID of 1 on repo with ID 2.
+ // This should return a nil branch as this deleted branch
+ // is actually on repo with ID 1.
+ repo2 := db.AssertExistsAndLoadBean(t, &Repository{ID: 2}).(*Repository)
+
+ deletedBranch, err := repo2.GetDeletedBranchByID(1)
+
+ // Expect no error, and the returned branch is nil.
+ assert.NoError(t, err)
+ assert.Nil(t, deletedBranch)
+
+ // Now get the deletedBranch with ID of 1 on repo with ID 1.
+ // This should return the deletedBranch.
+ repo1 := db.AssertExistsAndLoadBean(t, &Repository{ID: 1}).(*Repository)
+
+ deletedBranch, err = repo1.GetDeletedBranchByID(1)
+
+ // Expect no error, and the returned branch to be not nil.
+ assert.NoError(t, err)
+ assert.NotNil(t, deletedBranch)
+}