diff options
| author | Kyle D <kdumontnu@gmail.com> | 2022-09-02 15:18:23 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-02 15:18:23 -0400 |
| commit | c8ded77680db7344c8dc1ccee76bce0b4e02e103 (patch) | |
| tree | bc63678ef62dc71ce68b29eeaf019c45cdb12034 /tests/integration/csrf_test.go | |
| parent | 5710ff343c9f16119ddbff06044e5d61388baa22 (diff) | |
| download | gitea-c8ded77680db7344c8dc1ccee76bce0b4e02e103.tar.gz gitea-c8ded77680db7344c8dc1ccee76bce0b4e02e103.zip | |
Kd/ci playwright go test (#20123)
* Add initial playwright config
* Simplify Makefile
* Simplify Makefile
* Use correct config files
* Update playwright settings
* Fix package-lock file
* Don't use test logger for e2e tests
* fix frontend lint
* Allow passing TEST_LOGGER variable
* Init postgres database
* use standard gitea env variables
* Update playwright
* update drone
* Move empty env var to commands
* Cleanup
* Move integrations to subfolder
* tests integrations to tests integraton
* Run e2e tests with go test
* Fix linting
* install CI deps
* Add files to ESlint
* Fix drone typo
* Don't log to console in CI
* Use go test http server
* Add build step before tests
* Move shared init function to common package
* fix drone
* Clean up tests
* Fix linting
* Better mocking for page + version string
* Cleanup test generation
* Remove dependency on gitea binary
* Fix linting
* add initial support for running specific tests
* Add ACCEPT_VISUAL variable
* don't require git-lfs
* Add initial documentation
* Review feedback
* Add logged in session test
* Attempt fixing drone race
* Cleanup and bump version
* Bump deps
* Review feedback
* simplify installation
* Fix ci
* Update install docs
Diffstat (limited to 'tests/integration/csrf_test.go')
| -rw-r--r-- | tests/integration/csrf_test.go | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/tests/integration/csrf_test.go b/tests/integration/csrf_test.go new file mode 100644 index 0000000000..18a157412b --- /dev/null +++ b/tests/integration/csrf_test.go @@ -0,0 +1,53 @@ +// Copyright 2017 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package integration + +import ( + "net/http" + "strings" + "testing" + + "code.gitea.io/gitea/models/unittest" + user_model "code.gitea.io/gitea/models/user" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/tests" + + "github.com/stretchr/testify/assert" +) + +func TestCsrfProtection(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + // test web form csrf via form + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) + session := loginUser(t, user.Name) + req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{ + "_csrf": "fake_csrf", + }) + session.MakeRequest(t, req, http.StatusSeeOther) + + resp := session.MakeRequest(t, req, http.StatusSeeOther) + loc := resp.Header().Get("Location") + assert.Equal(t, setting.AppSubURL+"/", loc) + resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK) + htmlDoc := NewHTMLParser(t, resp.Body) + assert.Equal(t, "Bad Request: invalid CSRF token", + strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()), + ) + + // test web form csrf via header. TODO: should use an UI api to test + req = NewRequest(t, "POST", "/user/settings") + req.Header.Add("X-Csrf-Token", "fake_csrf") + session.MakeRequest(t, req, http.StatusSeeOther) + + resp = session.MakeRequest(t, req, http.StatusSeeOther) + loc = resp.Header().Get("Location") + assert.Equal(t, setting.AppSubURL+"/", loc) + resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK) + htmlDoc = NewHTMLParser(t, resp.Body) + assert.Equal(t, "Bad Request: invalid CSRF token", + strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()), + ) +} |