[GITEA] test POST /{username}/{reponame}/{tags,release}/delete

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers

(cherry picked from commit 78dcbb62fe87abe044034d880c9e8c22b44c2c98)
(cherry picked from commit 6707c08c1791926060a7735529f1945650030257)
(cherry picked from commit 68da5a9cd8)
(cherry picked from commit c27fb08cb00f130870d6059a0ebb67b505a3c252)
(cherry picked from commit f15a2c558a74aaf954550c71974593bf012004db)
(cherry picked from commit 8eb3ae693922fdb65a185ee63703b866d10fa60a)
(cherry picked from commit d54d5952f25828e84f7024aae6e62d1a18b788ae)
(cherry picked from commit ce22d57485ed718612cd0e40979cc591a5e18126)
(cherry picked from commit bfc110ba3303b4d2664638712435cc8d47906da0)
(cherry picked from commit 1fb3d555d972ad72d257c7d00e71148c88926e5d)
(cherry picked from commit 859c2275db185df4b38be6d50a8b4886622ecfde)
(cherry picked from commit b21cf2567ae7395ba6815309dc192911b396d91c)
(cherry picked from commit 8b9d75974f61caebc37739f970e1b030daea0ebf)
This commit is contained in:
Loïc Dachary 2023-11-12 20:01:24 +01:00 committed by Earl Warren
parent 7022378173
commit efbe483057
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -93,6 +93,44 @@ func TestCreateRelease(t *testing.T) {
checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.1", translation.NewLocale("en-US").Tr("repo.release.stable"), 4) checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.1", translation.NewLocale("en-US").Tr("repo.release.stable"), 4)
} }
func TestDeleteRelease(t *testing.T) {
defer tests.PrepareTestEnv(t)()
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 57, OwnerName: "user2", LowerName: "repo-release"})
release := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{TagName: "v2.0"})
assert.False(t, release.IsTag)
// Using the ID of a comment that does not belong to the repository must fail
session5 := loginUser(t, "user5")
otherRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{OwnerName: "user5", LowerName: "repo4"})
req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/releases/delete?id=%d", otherRepo.Link(), release.ID), map[string]string{
"_csrf": GetCSRF(t, session5, otherRepo.Link()),
})
session5.MakeRequest(t, req, http.StatusNotFound)
session := loginUser(t, "user2")
req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/releases/delete?id=%d", repo.Link(), release.ID), map[string]string{
"_csrf": GetCSRF(t, session, repo.Link()),
})
session.MakeRequest(t, req, http.StatusOK)
release = unittest.AssertExistsAndLoadBean(t, &repo_model.Release{ID: release.ID})
if assert.True(t, release.IsTag) {
req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/tags/delete?id=%d", otherRepo.Link(), release.ID), map[string]string{
"_csrf": GetCSRF(t, session5, otherRepo.Link()),
})
session5.MakeRequest(t, req, http.StatusNotFound)
req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/tags/delete?id=%d", repo.Link(), release.ID), map[string]string{
"_csrf": GetCSRF(t, session, repo.Link()),
})
session.MakeRequest(t, req, http.StatusOK)
unittest.AssertNotExistsBean(t, &repo_model.Release{ID: release.ID})
}
}
func TestCreateReleasePreRelease(t *testing.T) { func TestCreateReleasePreRelease(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()