diff options
| author | zeripath <art27@cantab.net> | 2018-11-04 01:15:55 +0000 |
|---|---|---|
| committer | techknowlogick <hello@techknowlogick.com> | 2018-11-03 21:15:55 -0400 |
| commit | 7096085f2b07246315e95e394b180ce9729efbb0 (patch) | |
| tree | bd19725b9897567b5868d7edabe7a800da1899f4 /integrations | |
| parent | 57a8440db372d3b2a01d3ef12a4a560424a08657 (diff) | |
| download | gitea-7096085f2b07246315e95e394b180ce9729efbb0.tar.gz gitea-7096085f2b07246315e95e394b180ce9729efbb0.zip | |
Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250)
* Add CSRF checking to reqToken and place CSRF in the post for deadline creation
Fixes #5226, #5249
* /api/v1/admin/users routes should have reqToken middleware
Diffstat (limited to 'integrations')
| -rw-r--r-- | integrations/api_admin_test.go | 10 | ||||
| -rw-r--r-- | integrations/git_test.go | 3 |
2 files changed, 7 insertions, 6 deletions
diff --git a/integrations/api_admin_test.go b/integrations/api_admin_test.go index 690edad757..b8dded9c11 100644 --- a/integrations/api_admin_test.go +++ b/integrations/api_admin_test.go @@ -39,8 +39,8 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) { OwnerID: keyOwner.ID, }) - req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token, - keyOwner.Name, newPublicKey.ID) + req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s", + keyOwner.Name, newPublicKey.ID, token) session.MakeRequest(t, req, http.StatusNoContent) models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID}) } @@ -51,7 +51,7 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) { session := loginUser(t, "user1") token := getTokenForLoggedInUser(t, session) - req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token="+token, models.NonexistentID) + req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token) session.MakeRequest(t, req, http.StatusNotFound) } @@ -73,8 +73,8 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) { session = loginUser(t, normalUsername) token = getTokenForLoggedInUser(t, session) - req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token, - adminUsername, newPublicKey.ID) + req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s", + adminUsername, newPublicKey.ID, token) session.MakeRequest(t, req, http.StatusForbidden) } diff --git a/integrations/git_test.go b/integrations/git_test.go index 7ac375dd02..96d39e0519 100644 --- a/integrations/git_test.go +++ b/integrations/git_test.go @@ -143,7 +143,8 @@ func TestGit(t *testing.T) { session := loginUser(t, "user1") keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User) - urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", keyOwner.Name) + token := getTokenForLoggedInUser(t, session) + urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token) dataPubKey, err := ioutil.ReadFile(keyFile + ".pub") assert.NoError(t, err) |