diff options
author | zeripath <art27@cantab.net> | 2019-04-20 07:44:50 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-04-20 07:44:50 +0100 |
commit | b33f7f792bf3a1a1e54639db94cc80b84f68ebfd (patch) | |
tree | 663f30dbc39028c188f88a35c68910abdaaa1331 /integrations | |
parent | b74dc970e9911e42861b88a1338ca504644b7cd2 (diff) | |
download | gitea-b33f7f792bf3a1a1e54639db94cc80b84f68ebfd.tar.gz gitea-b33f7f792bf3a1a1e54639db94cc80b84f68ebfd.zip |
Prevent creating empty sessions (#6677)
* Prevent creating empty sessions
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update modules/setting/session.go
* Remove unnecessary option
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add destory to list of ignored misspellings
* rename cookie.go -> virtual.go
* Delete old file
* Add test to ensure that sessions are not created without being logged in
Signed-off-by: Andrew Thornton <art27@cantab.net>
* fix tests
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update integrations/create_no_session_test.go
Diffstat (limited to 'integrations')
-rw-r--r-- | integrations/create_no_session_test.go | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/integrations/create_no_session_test.go b/integrations/create_no_session_test.go new file mode 100644 index 0000000000..0cdf7e2310 --- /dev/null +++ b/integrations/create_no_session_test.go @@ -0,0 +1,119 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package integrations + +import ( + "encoding/json" + "io/ioutil" + "net/http" + "net/http/httptest" + "os" + "path/filepath" + "testing" + + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/routers/routes" + + "github.com/go-macaron/session" + "github.com/stretchr/testify/assert" +) + +func getSessionID(t *testing.T, resp *httptest.ResponseRecorder) string { + cookies := resp.Result().Cookies() + found := false + sessionID := "" + for _, cookie := range cookies { + if cookie.Name == setting.SessionConfig.CookieName { + sessionID = cookie.Value + found = true + } + } + assert.True(t, found) + assert.NotEmpty(t, sessionID) + return sessionID +} + +func sessionFile(tmpDir, sessionID string) string { + return filepath.Join(tmpDir, sessionID[0:1], sessionID[1:2], sessionID) +} + +func sessionFileExist(t *testing.T, tmpDir, sessionID string) bool { + sessionFile := sessionFile(tmpDir, sessionID) + _, err := os.Lstat(sessionFile) + if err != nil { + if os.IsNotExist(err) { + return false + } + assert.NoError(t, err) + } + return true +} + +func TestSessionFileCreation(t *testing.T) { + prepareTestEnv(t) + + oldSessionConfig := setting.SessionConfig.ProviderConfig + defer func() { + setting.SessionConfig.ProviderConfig = oldSessionConfig + mac = routes.NewMacaron() + routes.RegisterRoutes(mac) + }() + + var config session.Options + err := json.Unmarshal([]byte(oldSessionConfig), &config) + assert.NoError(t, err) + + config.Provider = "file" + + // Now create a temporaryDirectory + tmpDir, err := ioutil.TempDir("", "sessions") + assert.NoError(t, err) + defer func() { + if _, err := os.Stat(tmpDir); !os.IsNotExist(err) { + _ = os.RemoveAll(tmpDir) + } + }() + config.ProviderConfig = tmpDir + + newConfigBytes, err := json.Marshal(config) + assert.NoError(t, err) + + setting.SessionConfig.ProviderConfig = string(newConfigBytes) + + mac = routes.NewMacaron() + routes.RegisterRoutes(mac) + + t.Run("NoSessionOnViewIssue", func(t *testing.T) { + PrintCurrentTest(t) + + req := NewRequest(t, "GET", "/user2/repo1/issues/1") + resp := MakeRequest(t, req, http.StatusOK) + sessionID := getSessionID(t, resp) + + // We're not logged in so there should be no session + assert.False(t, sessionFileExist(t, tmpDir, sessionID)) + }) + t.Run("CreateSessionOnLogin", func(t *testing.T) { + PrintCurrentTest(t) + + req := NewRequest(t, "GET", "/user/login") + resp := MakeRequest(t, req, http.StatusOK) + sessionID := getSessionID(t, resp) + + // We're not logged in so there should be no session + assert.False(t, sessionFileExist(t, tmpDir, sessionID)) + + doc := NewHTMLParser(t, resp.Body) + req = NewRequestWithValues(t, "POST", "/user/login", map[string]string{ + "_csrf": doc.GetCSRF(), + "user_name": "user2", + "password": userPassword, + }) + resp = MakeRequest(t, req, http.StatusFound) + sessionID = getSessionID(t, resp) + + assert.FileExists(t, sessionFile(tmpDir, sessionID)) + }) +} |