mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13519 Commits
17 Branches
Tree: f67a1030b3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f67a1030b3'
${ noResults }
gitea/services/migrations/migrate_test.go

migrate_test.go 4.1KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package migrations

  6. 

  7. import (

  8. 	"net"

  9. 	"path/filepath"

  10. 	"testing"

  11. 

  12. 	"code.gitea.io/gitea/models/unittest"

  13. 	user_model "code.gitea.io/gitea/models/user"

  14. 	"code.gitea.io/gitea/modules/setting"

  15. 

  16. 	"github.com/stretchr/testify/assert"

  17. )

  18. 

  19. func TestMigrateWhiteBlocklist(t *testing.T) {

  20. 	assert.NoError(t, unittest.PrepareTestDatabase())

  21. 

  22. 	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"}).(*user_model.User)

  23. 	nonAdminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"}).(*user_model.User)

  24. 

  25. 	setting.Migrations.AllowedDomains = "github.com"

  26. 	setting.Migrations.AllowLocalNetworks = false

  27. 	assert.NoError(t, Init())

  28. 

  29. 	err := IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)

  30. 	assert.Error(t, err)

  31. 

  32. 	err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)

  33. 	assert.NoError(t, err)

  34. 

  35. 	err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)

  36. 	assert.NoError(t, err)

  37. 

  38. 	setting.Migrations.AllowedDomains = ""

  39. 	setting.Migrations.BlockedDomains = "github.com"

  40. 	assert.NoError(t, Init())

  41. 

  42. 	err = IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)

  43. 	assert.NoError(t, err)

  44. 

  45. 	err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)

  46. 	assert.Error(t, err)

  47. 

  48. 	err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)

  49. 	assert.Error(t, err)

  50. 

  51. 	setting.Migrations.AllowLocalNetworks = true

  52. 	assert.NoError(t, Init())

  53. 	err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)

  54. 	assert.NoError(t, err)

  55. 

  56. 	old := setting.ImportLocalPaths

  57. 	setting.ImportLocalPaths = false

  58. 

  59. 	err = IsMigrateURLAllowed("/home/foo/bar/goo", adminUser)

  60. 	assert.Error(t, err)

  61. 

  62. 	setting.ImportLocalPaths = true

  63. 	abs, err := filepath.Abs(".")

  64. 	assert.NoError(t, err)

  65. 

  66. 	err = IsMigrateURLAllowed(abs, adminUser)

  67. 	assert.NoError(t, err)

  68. 

  69. 	err = IsMigrateURLAllowed(abs, nonAdminUser)

  70. 	assert.Error(t, err)

  71. 

  72. 	nonAdminUser.AllowImportLocal = true

  73. 	err = IsMigrateURLAllowed(abs, nonAdminUser)

  74. 	assert.NoError(t, err)

  75. 

  76. 	setting.ImportLocalPaths = old

  77. }

  78. 

  79. func TestAllowBlockList(t *testing.T) {

  80. 	init := func(allow, block string, local bool) {

  81. 		setting.Migrations.AllowedDomains = allow

  82. 		setting.Migrations.BlockedDomains = block

  83. 		setting.Migrations.AllowLocalNetworks = local

  84. 		assert.NoError(t, Init())

  85. 	}

  86. 

  87. 	// default, allow all external, block none, no local networks

  88. 	init("", "", false)

  89. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  90. 	assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  91. 

  92. 	// allow all including local networks (it could lead to SSRF in production)

  93. 	init("", "", true)

  94. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  95. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  96. 

  97. 	// allow wildcard, block some subdomains. if the domain name is allowed, then the local network check is skipped

  98. 	init("*.domain.com", "blocked.domain.com", false)

  99. 	assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  100. 	assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  101. 	assert.Error(t, checkByAllowBlockList("blocked.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  102. 	assert.Error(t, checkByAllowBlockList("sub.other.com", []net.IP{net.ParseIP("1.2.3.4")}))

  103. 

  104. 	// allow wildcard (it could lead to SSRF in production)

  105. 	init("*", "", false)

  106. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  107. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  108. 

  109. 	// local network can still be blocked

  110. 	init("*", "127.0.0.*", false)

  111. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  112. 	assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  113. 

  114. 	// reset

  115. 	init("", "", false)

  116. }