mirror of
https://github.com/go-gitea/gitea.git
synced 2024-12-04 14:46:57 -05:00
Ensure GetCSRF
doesn't return an empty token (#32130)
Since page templates keep changing, some pages that contained forms with
CSRF token no longer have them.
It leads to some calls of `GetCSRF` returning an empty string, which
fails the tests. Like
3269b04d61/tests/integration/attachment_test.go (L62-L63)
The test did try to get the CSRF token and provided it, but it was
empty.
This commit is contained in:
parent
5015de4d9a
commit
13283873e9
@ -29,7 +29,7 @@ func generateImg() bytes.Buffer {
|
|||||||
return buff
|
return buff
|
||||||
}
|
}
|
||||||
|
|
||||||
func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
|
func createAttachment(t *testing.T, session *TestSession, csrf, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
|
||||||
body := &bytes.Buffer{}
|
body := &bytes.Buffer{}
|
||||||
|
|
||||||
// Setup multi-part
|
// Setup multi-part
|
||||||
@ -41,8 +41,6 @@ func createAttachment(t *testing.T, session *TestSession, repoURL, filename stri
|
|||||||
err = writer.Close()
|
err = writer.Close()
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
csrf := GetCSRF(t, session, repoURL)
|
|
||||||
|
|
||||||
req := NewRequestWithBody(t, "POST", repoURL+"/issues/attachments", body)
|
req := NewRequestWithBody(t, "POST", repoURL+"/issues/attachments", body)
|
||||||
req.Header.Add("X-Csrf-Token", csrf)
|
req.Header.Add("X-Csrf-Token", csrf)
|
||||||
req.Header.Add("Content-Type", writer.FormDataContentType())
|
req.Header.Add("Content-Type", writer.FormDataContentType())
|
||||||
@ -59,15 +57,14 @@ func createAttachment(t *testing.T, session *TestSession, repoURL, filename stri
|
|||||||
func TestCreateAnonymousAttachment(t *testing.T) {
|
func TestCreateAnonymousAttachment(t *testing.T) {
|
||||||
defer tests.PrepareTestEnv(t)()
|
defer tests.PrepareTestEnv(t)()
|
||||||
session := emptyTestSession(t)
|
session := emptyTestSession(t)
|
||||||
// this test is not right because it just doesn't pass the CSRF validation
|
createAttachment(t, session, GetCSRF(t, session, "/user/login"), "user2/repo1", "image.png", generateImg(), http.StatusSeeOther)
|
||||||
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusBadRequest)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestCreateIssueAttachment(t *testing.T) {
|
func TestCreateIssueAttachment(t *testing.T) {
|
||||||
defer tests.PrepareTestEnv(t)()
|
defer tests.PrepareTestEnv(t)()
|
||||||
const repoURL = "user2/repo1"
|
const repoURL = "user2/repo1"
|
||||||
session := loginUser(t, "user2")
|
session := loginUser(t, "user2")
|
||||||
uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK)
|
uuid := createAttachment(t, session, GetCSRF(t, session, repoURL), repoURL, "image.png", generateImg(), http.StatusOK)
|
||||||
|
|
||||||
req := NewRequest(t, "GET", repoURL+"/issues/new")
|
req := NewRequest(t, "GET", repoURL+"/issues/new")
|
||||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||||
|
@ -37,6 +37,7 @@ import (
|
|||||||
|
|
||||||
"github.com/PuerkitoBio/goquery"
|
"github.com/PuerkitoBio/goquery"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
"github.com/xeipuuv/gojsonschema"
|
"github.com/xeipuuv/gojsonschema"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -486,12 +487,16 @@ func VerifyJSONSchema(t testing.TB, resp *httptest.ResponseRecorder, schemaFile
|
|||||||
}
|
}
|
||||||
|
|
||||||
// GetCSRF returns CSRF token from body
|
// GetCSRF returns CSRF token from body
|
||||||
|
// If it fails, it means the CSRF token is not found in the response body returned by the url with the given session.
|
||||||
|
// In this case, you should find a better url to get it.
|
||||||
func GetCSRF(t testing.TB, session *TestSession, urlStr string) string {
|
func GetCSRF(t testing.TB, session *TestSession, urlStr string) string {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
req := NewRequest(t, "GET", urlStr)
|
req := NewRequest(t, "GET", urlStr)
|
||||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||||
doc := NewHTMLParser(t, resp.Body)
|
doc := NewHTMLParser(t, resp.Body)
|
||||||
return doc.GetCSRF()
|
csrf := doc.GetCSRF()
|
||||||
|
require.NotEmpty(t, csrf)
|
||||||
|
return csrf
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetCSRFFrom returns CSRF token from body
|
// GetCSRFFrom returns CSRF token from body
|
||||||
|
@ -204,9 +204,7 @@ func TestTeamSearch(t *testing.T) {
|
|||||||
var results TeamSearchResults
|
var results TeamSearchResults
|
||||||
|
|
||||||
session := loginUser(t, user.Name)
|
session := loginUser(t, user.Name)
|
||||||
csrf := GetCSRF(t, session, "/"+org.Name)
|
|
||||||
req := NewRequestf(t, "GET", "/org/%s/teams/-/search?q=%s", org.Name, "_team")
|
req := NewRequestf(t, "GET", "/org/%s/teams/-/search?q=%s", org.Name, "_team")
|
||||||
req.Header.Add("X-Csrf-Token", csrf)
|
|
||||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||||
DecodeJSON(t, resp, &results)
|
DecodeJSON(t, resp, &results)
|
||||||
assert.NotEmpty(t, results.Data)
|
assert.NotEmpty(t, results.Data)
|
||||||
@ -217,8 +215,6 @@ func TestTeamSearch(t *testing.T) {
|
|||||||
// no access if not organization member
|
// no access if not organization member
|
||||||
user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
||||||
session = loginUser(t, user5.Name)
|
session = loginUser(t, user5.Name)
|
||||||
csrf = GetCSRF(t, session, "/"+org.Name)
|
|
||||||
req = NewRequestf(t, "GET", "/org/%s/teams/-/search?q=%s", org.Name, "team")
|
req = NewRequestf(t, "GET", "/org/%s/teams/-/search?q=%s", org.Name, "team")
|
||||||
req.Header.Add("X-Csrf-Token", csrf)
|
|
||||||
session.MakeRequest(t, req, http.StatusNotFound)
|
session.MakeRequest(t, req, http.StatusNotFound)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user