aboutsummaryrefslogtreecommitdiffstats
path: root/integrations
diff options
context:
space:
mode:
authorAntoine GIRARD <sapk@users.noreply.github.com>2020-01-05 00:20:08 +0100
committerLauris BH <lauris@nix.lv>2020-01-05 01:20:08 +0200
commit8b2407371365fc123fc368bfd46b15f55ba8ae6a (patch)
tree8f112acce97c863846a88a6b37e3b570062860d2 /integrations
parent6a5a2f493a2b8d19a9f6196bd208a3b8a14e9c1c (diff)
downloadgitea-8b2407371365fc123fc368bfd46b15f55ba8ae6a.tar.gz
gitea-8b2407371365fc123fc368bfd46b15f55ba8ae6a.zip
Only serve attachments when linked to issue/release and if accessible by user (#9340)
* test: add current attachement responses * refactor: check if attachement is linked and accessible by user * chore: clean TODO * fix: typo attachement -> attachment * revert un-needed go.sum change * refactor: move models logic to models * fix TestCreateIssueAttachment which was wrongly successful * fix unit tests with unittype added * fix unit tests with changes * use a valid uuid format for pgsql int. test * test: add unit test TestLinkedRepository * refactor: allow uploader to access unlinked attachement * add missing blank line * refactor: move to a separate function repo.GetAttachment * typo * test: remove err test return * refactor: use repo perm for access checking generally + 404 for all reject
Diffstat (limited to 'integrations')
-rw-r--r--integrations/attachement_test.go88
-rw-r--r--integrations/attachment_test.go137
2 files changed, 137 insertions, 88 deletions
diff --git a/integrations/attachement_test.go b/integrations/attachement_test.go
deleted file mode 100644
index 8d709a376e..0000000000
--- a/integrations/attachement_test.go
+++ /dev/null
@@ -1,88 +0,0 @@
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package integrations
-
-import (
- "bytes"
- "image"
- "image/png"
- "io"
- "mime/multipart"
- "net/http"
- "testing"
-
- "code.gitea.io/gitea/modules/test"
- "github.com/stretchr/testify/assert"
-)
-
-func generateImg() bytes.Buffer {
- // Generate image
- myImage := image.NewRGBA(image.Rect(0, 0, 32, 32))
- var buff bytes.Buffer
- png.Encode(&buff, myImage)
- return buff
-}
-
-func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
- body := &bytes.Buffer{}
-
- //Setup multi-part
- writer := multipart.NewWriter(body)
- part, err := writer.CreateFormFile("file", filename)
- assert.NoError(t, err)
- _, err = io.Copy(part, &buff)
- assert.NoError(t, err)
- err = writer.Close()
- assert.NoError(t, err)
-
- csrf := GetCSRF(t, session, repoURL)
-
- req := NewRequestWithBody(t, "POST", "/attachments", body)
- req.Header.Add("X-Csrf-Token", csrf)
- req.Header.Add("Content-Type", writer.FormDataContentType())
- resp := session.MakeRequest(t, req, expectedStatus)
-
- if expectedStatus != http.StatusOK {
- return ""
- }
- var obj map[string]string
- DecodeJSON(t, resp, &obj)
- return obj["uuid"]
-}
-
-func TestCreateAnonymousAttachment(t *testing.T) {
- prepareTestEnv(t)
- session := emptyTestSession(t)
- createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound)
-}
-
-func TestCreateIssueAttachement(t *testing.T) {
- prepareTestEnv(t)
- const repoURL = "user2/repo1"
- session := loginUser(t, "user2")
- uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK)
-
- req := NewRequest(t, "GET", repoURL+"/issues/new")
- resp := session.MakeRequest(t, req, http.StatusOK)
- htmlDoc := NewHTMLParser(t, resp.Body)
-
- link, exists := htmlDoc.doc.Find("form").Attr("action")
- assert.True(t, exists, "The template has changed")
-
- postData := map[string]string{
- "_csrf": htmlDoc.GetCSRF(),
- "title": "New Issue With Attachement",
- "content": "some content",
- "files[0]": uuid,
- }
-
- req = NewRequestWithValues(t, "POST", link, postData)
- resp = session.MakeRequest(t, req, http.StatusFound)
- test.RedirectURL(resp) // check that redirect URL exists
-
- //Validate that attachement is available
- req = NewRequest(t, "GET", "/attachments/"+uuid)
- session.MakeRequest(t, req, http.StatusOK)
-}
diff --git a/integrations/attachment_test.go b/integrations/attachment_test.go
new file mode 100644
index 0000000000..746256df95
--- /dev/null
+++ b/integrations/attachment_test.go
@@ -0,0 +1,137 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+ "bytes"
+ "image"
+ "image/png"
+ "io"
+ "io/ioutil"
+ "mime/multipart"
+ "net/http"
+ "os"
+ "path"
+ "testing"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/test"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func generateImg() bytes.Buffer {
+ // Generate image
+ myImage := image.NewRGBA(image.Rect(0, 0, 32, 32))
+ var buff bytes.Buffer
+ png.Encode(&buff, myImage)
+ return buff
+}
+
+func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
+ body := &bytes.Buffer{}
+
+ //Setup multi-part
+ writer := multipart.NewWriter(body)
+ part, err := writer.CreateFormFile("file", filename)
+ assert.NoError(t, err)
+ _, err = io.Copy(part, &buff)
+ assert.NoError(t, err)
+ err = writer.Close()
+ assert.NoError(t, err)
+
+ csrf := GetCSRF(t, session, repoURL)
+
+ req := NewRequestWithBody(t, "POST", "/attachments", body)
+ req.Header.Add("X-Csrf-Token", csrf)
+ req.Header.Add("Content-Type", writer.FormDataContentType())
+ resp := session.MakeRequest(t, req, expectedStatus)
+
+ if expectedStatus != http.StatusOK {
+ return ""
+ }
+ var obj map[string]string
+ DecodeJSON(t, resp, &obj)
+ return obj["uuid"]
+}
+
+func TestCreateAnonymousAttachment(t *testing.T) {
+ prepareTestEnv(t)
+ session := emptyTestSession(t)
+ createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound)
+}
+
+func TestCreateIssueAttachment(t *testing.T) {
+ prepareTestEnv(t)
+ const repoURL = "user2/repo1"
+ session := loginUser(t, "user2")
+ uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK)
+
+ req := NewRequest(t, "GET", repoURL+"/issues/new")
+ resp := session.MakeRequest(t, req, http.StatusOK)
+ htmlDoc := NewHTMLParser(t, resp.Body)
+
+ link, exists := htmlDoc.doc.Find("form").Attr("action")
+ assert.True(t, exists, "The template has changed")
+
+ postData := map[string]string{
+ "_csrf": htmlDoc.GetCSRF(),
+ "title": "New Issue With Attachment",
+ "content": "some content",
+ "files": uuid,
+ }
+
+ req = NewRequestWithValues(t, "POST", link, postData)
+ resp = session.MakeRequest(t, req, http.StatusFound)
+ test.RedirectURL(resp) // check that redirect URL exists
+
+ //Validate that attachment is available
+ req = NewRequest(t, "GET", "/attachments/"+uuid)
+ session.MakeRequest(t, req, http.StatusOK)
+}
+
+func TestGetAttachment(t *testing.T) {
+ prepareTestEnv(t)
+ adminSession := loginUser(t, "user1")
+ user2Session := loginUser(t, "user2")
+ user8Session := loginUser(t, "user8")
+ emptySession := emptyTestSession(t)
+ testCases := []struct {
+ name string
+ uuid string
+ createFile bool
+ session *TestSession
+ want int
+ }{
+ {"LinkedIssueUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, user2Session, http.StatusOK},
+ {"LinkedCommentUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a17", true, user2Session, http.StatusOK},
+ {"linked_release_uuid", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a19", true, user2Session, http.StatusOK},
+ {"NotExistingUUID", "b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusNotFound},
+ {"FileMissing", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusInternalServerError},
+ {"NotLinked", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user2Session, http.StatusNotFound},
+ {"NotLinkedAccessibleByUploader", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user8Session, http.StatusOK},
+ {"PublicByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, emptySession, http.StatusOK},
+ {"PrivateByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, emptySession, http.StatusNotFound},
+ {"PrivateAccessibleByAdmin", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, adminSession, http.StatusOK},
+ {"PrivateAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user2Session, http.StatusOK},
+ {"RepoNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user8Session, http.StatusNotFound},
+ {"OrgNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a21", true, user8Session, http.StatusNotFound},
+ }
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ //Write empty file to be available for response
+ if tc.createFile {
+ localPath := models.AttachmentLocalPath(tc.uuid)
+ err := os.MkdirAll(path.Dir(localPath), os.ModePerm)
+ assert.NoError(t, err)
+ err = ioutil.WriteFile(localPath, []byte("hello world"), 0644)
+ assert.NoError(t, err)
+ }
+ //Actual test
+ req := NewRequest(t, "GET", "/attachments/"+tc.uuid)
+ tc.session.MakeRequest(t, req, tc.want)
+ })
+ }
+}