diff options
| author | wxiaoguang <wxiaoguang@gmail.com> | 2022-04-08 13:21:05 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-08 13:21:05 +0800 |
| commit | 84ceaa98bd731431c7d3a7f65e59e7ad076a540f (patch) | |
| tree | fc2743a69cde4e46c3a55796e2ab1541269b6c65 /integrations | |
| parent | 3c3d49899f0f7206e190bdeecdc4da248cc7e686 (diff) | |
| download | gitea-84ceaa98bd731431c7d3a7f65e59e7ad076a540f.tar.gz gitea-84ceaa98bd731431c7d3a7f65e59e7ad076a540f.zip | |
Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337)
Do a refactoring to the CSRF related code, remove most unnecessary functions.
Parse the generated token's issue time, regenerate the token every a few minutes.
Diffstat (limited to 'integrations')
| -rw-r--r-- | integrations/csrf_test.go | 52 | ||||
| -rw-r--r-- | integrations/repo_topic_test.go | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/integrations/csrf_test.go b/integrations/csrf_test.go new file mode 100644 index 0000000000..5bfc97bbd1 --- /dev/null +++ b/integrations/csrf_test.go @@ -0,0 +1,52 @@ +// Copyright 2017 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package integrations + +import ( + "net/http" + "strings" + "testing" + + "code.gitea.io/gitea/models/unittest" + user_model "code.gitea.io/gitea/models/user" + "code.gitea.io/gitea/modules/setting" + + "github.com/stretchr/testify/assert" +) + +func TestCsrfProtection(t *testing.T) { + defer prepareTestEnv(t)() + + // test web form csrf via form + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User) + session := loginUser(t, user.Name) + req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{ + "_csrf": "fake_csrf", + }) + session.MakeRequest(t, req, http.StatusSeeOther) + + resp := session.MakeRequest(t, req, http.StatusSeeOther) + loc := resp.Header().Get("Location") + assert.Equal(t, setting.AppSubURL+"/", loc) + resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK) + htmlDoc := NewHTMLParser(t, resp.Body) + assert.Equal(t, "Bad Request: invalid CSRF token", + strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()), + ) + + // test web form csrf via header. TODO: should use an UI api to test + req = NewRequest(t, "POST", "/user/settings") + req.Header.Add("X-Csrf-Token", "fake_csrf") + session.MakeRequest(t, req, http.StatusSeeOther) + + resp = session.MakeRequest(t, req, http.StatusSeeOther) + loc = resp.Header().Get("Location") + assert.Equal(t, setting.AppSubURL+"/", loc) + resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK) + htmlDoc = NewHTMLParser(t, resp.Body) + assert.Equal(t, "Bad Request: invalid CSRF token", + strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()), + ) +} diff --git a/integrations/repo_topic_test.go b/integrations/repo_topic_test.go index 146f90e710..e049afdd7c 100644 --- a/integrations/repo_topic_test.go +++ b/integrations/repo_topic_test.go @@ -10,6 +10,7 @@ import ( "testing" api "code.gitea.io/gitea/modules/structs" + "github.com/stretchr/testify/assert" ) |