diff options
author | Antoine GIRARD <sapk@users.noreply.github.com> | 2020-01-05 00:20:08 +0100 |
---|---|---|
committer | Lauris BH <lauris@nix.lv> | 2020-01-05 01:20:08 +0200 |
commit | 8b2407371365fc123fc368bfd46b15f55ba8ae6a (patch) | |
tree | 8f112acce97c863846a88a6b37e3b570062860d2 /integrations | |
parent | 6a5a2f493a2b8d19a9f6196bd208a3b8a14e9c1c (diff) | |
download | gitea-8b2407371365fc123fc368bfd46b15f55ba8ae6a.tar.gz gitea-8b2407371365fc123fc368bfd46b15f55ba8ae6a.zip |
Only serve attachments when linked to issue/release and if accessible by user (#9340)
* test: add current attachement responses
* refactor: check if attachement is linked and accessible by user
* chore: clean TODO
* fix: typo attachement -> attachment
* revert un-needed go.sum change
* refactor: move models logic to models
* fix TestCreateIssueAttachment which was wrongly successful
* fix unit tests with unittype added
* fix unit tests with changes
* use a valid uuid format for pgsql int. test
* test: add unit test TestLinkedRepository
* refactor: allow uploader to access unlinked attachement
* add missing blank line
* refactor: move to a separate function repo.GetAttachment
* typo
* test: remove err test return
* refactor: use repo perm for access checking generally + 404 for all reject
Diffstat (limited to 'integrations')
-rw-r--r-- | integrations/attachement_test.go | 88 | ||||
-rw-r--r-- | integrations/attachment_test.go | 137 |
2 files changed, 137 insertions, 88 deletions
diff --git a/integrations/attachement_test.go b/integrations/attachement_test.go deleted file mode 100644 index 8d709a376e..0000000000 --- a/integrations/attachement_test.go +++ /dev/null @@ -1,88 +0,0 @@ -// Copyright 2019 The Gitea Authors. All rights reserved. -// Use of this source code is governed by a MIT-style -// license that can be found in the LICENSE file. - -package integrations - -import ( - "bytes" - "image" - "image/png" - "io" - "mime/multipart" - "net/http" - "testing" - - "code.gitea.io/gitea/modules/test" - "github.com/stretchr/testify/assert" -) - -func generateImg() bytes.Buffer { - // Generate image - myImage := image.NewRGBA(image.Rect(0, 0, 32, 32)) - var buff bytes.Buffer - png.Encode(&buff, myImage) - return buff -} - -func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string { - body := &bytes.Buffer{} - - //Setup multi-part - writer := multipart.NewWriter(body) - part, err := writer.CreateFormFile("file", filename) - assert.NoError(t, err) - _, err = io.Copy(part, &buff) - assert.NoError(t, err) - err = writer.Close() - assert.NoError(t, err) - - csrf := GetCSRF(t, session, repoURL) - - req := NewRequestWithBody(t, "POST", "/attachments", body) - req.Header.Add("X-Csrf-Token", csrf) - req.Header.Add("Content-Type", writer.FormDataContentType()) - resp := session.MakeRequest(t, req, expectedStatus) - - if expectedStatus != http.StatusOK { - return "" - } - var obj map[string]string - DecodeJSON(t, resp, &obj) - return obj["uuid"] -} - -func TestCreateAnonymousAttachment(t *testing.T) { - prepareTestEnv(t) - session := emptyTestSession(t) - createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound) -} - -func TestCreateIssueAttachement(t *testing.T) { - prepareTestEnv(t) - const repoURL = "user2/repo1" - session := loginUser(t, "user2") - uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK) - - req := NewRequest(t, "GET", repoURL+"/issues/new") - resp := session.MakeRequest(t, req, http.StatusOK) - htmlDoc := NewHTMLParser(t, resp.Body) - - link, exists := htmlDoc.doc.Find("form").Attr("action") - assert.True(t, exists, "The template has changed") - - postData := map[string]string{ - "_csrf": htmlDoc.GetCSRF(), - "title": "New Issue With Attachement", - "content": "some content", - "files[0]": uuid, - } - - req = NewRequestWithValues(t, "POST", link, postData) - resp = session.MakeRequest(t, req, http.StatusFound) - test.RedirectURL(resp) // check that redirect URL exists - - //Validate that attachement is available - req = NewRequest(t, "GET", "/attachments/"+uuid) - session.MakeRequest(t, req, http.StatusOK) -} diff --git a/integrations/attachment_test.go b/integrations/attachment_test.go new file mode 100644 index 0000000000..746256df95 --- /dev/null +++ b/integrations/attachment_test.go @@ -0,0 +1,137 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package integrations + +import ( + "bytes" + "image" + "image/png" + "io" + "io/ioutil" + "mime/multipart" + "net/http" + "os" + "path" + "testing" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/test" + + "github.com/stretchr/testify/assert" +) + +func generateImg() bytes.Buffer { + // Generate image + myImage := image.NewRGBA(image.Rect(0, 0, 32, 32)) + var buff bytes.Buffer + png.Encode(&buff, myImage) + return buff +} + +func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string { + body := &bytes.Buffer{} + + //Setup multi-part + writer := multipart.NewWriter(body) + part, err := writer.CreateFormFile("file", filename) + assert.NoError(t, err) + _, err = io.Copy(part, &buff) + assert.NoError(t, err) + err = writer.Close() + assert.NoError(t, err) + + csrf := GetCSRF(t, session, repoURL) + + req := NewRequestWithBody(t, "POST", "/attachments", body) + req.Header.Add("X-Csrf-Token", csrf) + req.Header.Add("Content-Type", writer.FormDataContentType()) + resp := session.MakeRequest(t, req, expectedStatus) + + if expectedStatus != http.StatusOK { + return "" + } + var obj map[string]string + DecodeJSON(t, resp, &obj) + return obj["uuid"] +} + +func TestCreateAnonymousAttachment(t *testing.T) { + prepareTestEnv(t) + session := emptyTestSession(t) + createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound) +} + +func TestCreateIssueAttachment(t *testing.T) { + prepareTestEnv(t) + const repoURL = "user2/repo1" + session := loginUser(t, "user2") + uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK) + + req := NewRequest(t, "GET", repoURL+"/issues/new") + resp := session.MakeRequest(t, req, http.StatusOK) + htmlDoc := NewHTMLParser(t, resp.Body) + + link, exists := htmlDoc.doc.Find("form").Attr("action") + assert.True(t, exists, "The template has changed") + + postData := map[string]string{ + "_csrf": htmlDoc.GetCSRF(), + "title": "New Issue With Attachment", + "content": "some content", + "files": uuid, + } + + req = NewRequestWithValues(t, "POST", link, postData) + resp = session.MakeRequest(t, req, http.StatusFound) + test.RedirectURL(resp) // check that redirect URL exists + + //Validate that attachment is available + req = NewRequest(t, "GET", "/attachments/"+uuid) + session.MakeRequest(t, req, http.StatusOK) +} + +func TestGetAttachment(t *testing.T) { + prepareTestEnv(t) + adminSession := loginUser(t, "user1") + user2Session := loginUser(t, "user2") + user8Session := loginUser(t, "user8") + emptySession := emptyTestSession(t) + testCases := []struct { + name string + uuid string + createFile bool + session *TestSession + want int + }{ + {"LinkedIssueUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, user2Session, http.StatusOK}, + {"LinkedCommentUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a17", true, user2Session, http.StatusOK}, + {"linked_release_uuid", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a19", true, user2Session, http.StatusOK}, + {"NotExistingUUID", "b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusNotFound}, + {"FileMissing", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusInternalServerError}, + {"NotLinked", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user2Session, http.StatusNotFound}, + {"NotLinkedAccessibleByUploader", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user8Session, http.StatusOK}, + {"PublicByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, emptySession, http.StatusOK}, + {"PrivateByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, emptySession, http.StatusNotFound}, + {"PrivateAccessibleByAdmin", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, adminSession, http.StatusOK}, + {"PrivateAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user2Session, http.StatusOK}, + {"RepoNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user8Session, http.StatusNotFound}, + {"OrgNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a21", true, user8Session, http.StatusNotFound}, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + //Write empty file to be available for response + if tc.createFile { + localPath := models.AttachmentLocalPath(tc.uuid) + err := os.MkdirAll(path.Dir(localPath), os.ModePerm) + assert.NoError(t, err) + err = ioutil.WriteFile(localPath, []byte("hello world"), 0644) + assert.NoError(t, err) + } + //Actual test + req := NewRequest(t, "GET", "/attachments/"+tc.uuid) + tc.session.MakeRequest(t, req, tc.want) + }) + } +} |