From 640f0e1ddf7a5cae8a778e989046e7438067a56c Mon Sep 17 00:00:00 2001 From: Gusted Date: Mon, 8 Nov 2021 16:45:37 +0100 Subject: Only allow returned deleted branche to be on repo (#17570) - This will only allow `GetDeletedBranchByID` to return deletedBranch which are on the repo, and thus don't return a deletedBranch from another repo. - This just should prevent possible bugs in the futher when a code is passing the wrong ID into this function. --- models/branches.go | 2 +- models/branches_test.go | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/models/branches.go b/models/branches.go index 3c62c7a87b..caca9e23fe 100644 --- a/models/branches.go +++ b/models/branches.go @@ -536,7 +536,7 @@ func (repo *Repository) GetDeletedBranches() ([]*DeletedBranch, error) { // GetDeletedBranchByID get a deleted branch by its ID func (repo *Repository) GetDeletedBranchByID(id int64) (*DeletedBranch, error) { deletedBranch := &DeletedBranch{} - has, err := db.GetEngine(db.DefaultContext).ID(id).Get(deletedBranch) + has, err := db.GetEngine(db.DefaultContext).Where("repo_id = ?", repo.ID).And("id = ?", id).Get(deletedBranch) if err != nil { return nil, err } diff --git a/models/branches_test.go b/models/branches_test.go index f1dcfecfa8..e9a32666f9 100644 --- a/models/branches_test.go +++ b/models/branches_test.go @@ -128,3 +128,28 @@ func TestRenameBranch(t *testing.T) { BranchName: "main", }) } + +func TestOnlyGetDeletedBranchOnCorrectRepo(t *testing.T) { + assert.NoError(t, db.PrepareTestDatabase()) + + // Get deletedBranch with ID of 1 on repo with ID 2. + // This should return a nil branch as this deleted branch + // is actually on repo with ID 1. + repo2 := db.AssertExistsAndLoadBean(t, &Repository{ID: 2}).(*Repository) + + deletedBranch, err := repo2.GetDeletedBranchByID(1) + + // Expect no error, and the returned branch is nil. + assert.NoError(t, err) + assert.Nil(t, deletedBranch) + + // Now get the deletedBranch with ID of 1 on repo with ID 1. + // This should return the deletedBranch. + repo1 := db.AssertExistsAndLoadBean(t, &Repository{ID: 1}).(*Repository) + + deletedBranch, err = repo1.GetDeletedBranchByID(1) + + // Expect no error, and the returned branch to be not nil. + assert.NoError(t, err) + assert.NotNil(t, deletedBranch) +} -- cgit v1.2.3