mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16810 Commits
17 Branches
Tree: v1.21.5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.21.5'
${ noResults }
gitea/services/migrations/migrate_test.go

migrate_test.go 4.0KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package migrations

  5. 

  6. import (

  7. 	"net"

  8. 	"path/filepath"

  9. 	"testing"

  10. 

  11. 	"code.gitea.io/gitea/models/unittest"

  12. 	user_model "code.gitea.io/gitea/models/user"

  13. 	"code.gitea.io/gitea/modules/setting"

  14. 

  15. 	"github.com/stretchr/testify/assert"

  16. )

  17. 

  18. func TestMigrateWhiteBlocklist(t *testing.T) {

  19. 	assert.NoError(t, unittest.PrepareTestDatabase())

  20. 

  21. 	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})

  22. 	nonAdminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})

  23. 

  24. 	setting.Migrations.AllowedDomains = "github.com"

  25. 	setting.Migrations.AllowLocalNetworks = false

  26. 	assert.NoError(t, Init())

  27. 

  28. 	err := IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)

  29. 	assert.Error(t, err)

  30. 

  31. 	err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)

  32. 	assert.NoError(t, err)

  33. 

  34. 	err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)

  35. 	assert.NoError(t, err)

  36. 

  37. 	setting.Migrations.AllowedDomains = ""

  38. 	setting.Migrations.BlockedDomains = "github.com"

  39. 	assert.NoError(t, Init())

  40. 

  41. 	err = IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)

  42. 	assert.NoError(t, err)

  43. 

  44. 	err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)

  45. 	assert.Error(t, err)

  46. 

  47. 	err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)

  48. 	assert.Error(t, err)

  49. 

  50. 	setting.Migrations.AllowLocalNetworks = true

  51. 	assert.NoError(t, Init())

  52. 	err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)

  53. 	assert.NoError(t, err)

  54. 

  55. 	old := setting.ImportLocalPaths

  56. 	setting.ImportLocalPaths = false

  57. 

  58. 	err = IsMigrateURLAllowed("/home/foo/bar/goo", adminUser)

  59. 	assert.Error(t, err)

  60. 

  61. 	setting.ImportLocalPaths = true

  62. 	abs, err := filepath.Abs(".")

  63. 	assert.NoError(t, err)

  64. 

  65. 	err = IsMigrateURLAllowed(abs, adminUser)

  66. 	assert.NoError(t, err)

  67. 

  68. 	err = IsMigrateURLAllowed(abs, nonAdminUser)

  69. 	assert.Error(t, err)

  70. 

  71. 	nonAdminUser.AllowImportLocal = true

  72. 	err = IsMigrateURLAllowed(abs, nonAdminUser)

  73. 	assert.NoError(t, err)

  74. 

  75. 	setting.ImportLocalPaths = old

  76. }

  77. 

  78. func TestAllowBlockList(t *testing.T) {

  79. 	init := func(allow, block string, local bool) {

  80. 		setting.Migrations.AllowedDomains = allow

  81. 		setting.Migrations.BlockedDomains = block

  82. 		setting.Migrations.AllowLocalNetworks = local

  83. 		assert.NoError(t, Init())

  84. 	}

  85. 

  86. 	// default, allow all external, block none, no local networks

  87. 	init("", "", false)

  88. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  89. 	assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  90. 

  91. 	// allow all including local networks (it could lead to SSRF in production)

  92. 	init("", "", true)

  93. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  94. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  95. 

  96. 	// allow wildcard, block some subdomains. if the domain name is allowed, then the local network check is skipped

  97. 	init("*.domain.com", "blocked.domain.com", false)

  98. 	assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  99. 	assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  100. 	assert.Error(t, checkByAllowBlockList("blocked.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  101. 	assert.Error(t, checkByAllowBlockList("sub.other.com", []net.IP{net.ParseIP("1.2.3.4")}))

  102. 

  103. 	// allow wildcard (it could lead to SSRF in production)

  104. 	init("*", "", false)

  105. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  106. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  107. 

  108. 	// local network can still be blocked

  109. 	init("*", "127.0.0.*", false)

  110. 	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))

  111. 	assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))

  112. 

  113. 	// reset

  114. 	init("", "", false)

  115. }