Only serve attachments when linked to issue/release and if accessible by user (#9340)
* test: add current attachement responses * refactor: check if attachement is linked and accessible by user * chore: clean TODO * fix: typo attachement -> attachment * revert un-needed go.sum change * refactor: move models logic to models * fix TestCreateIssueAttachment which was wrongly successful * fix unit tests with unittype added * fix unit tests with changes * use a valid uuid format for pgsql int. test * test: add unit test TestLinkedRepository * refactor: allow uploader to access unlinked attachement * add missing blank line * refactor: move to a separate function repo.GetAttachment * typo * test: remove err test return * refactor: use repo perm for access checking generally + 404 for all rejecttokarchuk/v1.17
parent
6a5a2f493a
commit
8b24073713
@ -1,88 +0,0 @@ |
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package integrations |
||||
|
||||
import ( |
||||
"bytes" |
||||
"image" |
||||
"image/png" |
||||
"io" |
||||
"mime/multipart" |
||||
"net/http" |
||||
"testing" |
||||
|
||||
"code.gitea.io/gitea/modules/test" |
||||
"github.com/stretchr/testify/assert" |
||||
) |
||||
|
||||
func generateImg() bytes.Buffer { |
||||
// Generate image
|
||||
myImage := image.NewRGBA(image.Rect(0, 0, 32, 32)) |
||||
var buff bytes.Buffer |
||||
png.Encode(&buff, myImage) |
||||
return buff |
||||
} |
||||
|
||||
func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string { |
||||
body := &bytes.Buffer{} |
||||
|
||||
//Setup multi-part
|
||||
writer := multipart.NewWriter(body) |
||||
part, err := writer.CreateFormFile("file", filename) |
||||
assert.NoError(t, err) |
||||
_, err = io.Copy(part, &buff) |
||||
assert.NoError(t, err) |
||||
err = writer.Close() |
||||
assert.NoError(t, err) |
||||
|
||||
csrf := GetCSRF(t, session, repoURL) |
||||
|
||||
req := NewRequestWithBody(t, "POST", "/attachments", body) |
||||
req.Header.Add("X-Csrf-Token", csrf) |
||||
req.Header.Add("Content-Type", writer.FormDataContentType()) |
||||
resp := session.MakeRequest(t, req, expectedStatus) |
||||
|
||||
if expectedStatus != http.StatusOK { |
||||
return "" |
||||
} |
||||
var obj map[string]string |
||||
DecodeJSON(t, resp, &obj) |
||||
return obj["uuid"] |
||||
} |
||||
|
||||
func TestCreateAnonymousAttachment(t *testing.T) { |
||||
prepareTestEnv(t) |
||||
session := emptyTestSession(t) |
||||
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound) |
||||
} |
||||
|
||||
func TestCreateIssueAttachement(t *testing.T) { |
||||
prepareTestEnv(t) |
||||
const repoURL = "user2/repo1" |
||||
session := loginUser(t, "user2") |
||||
uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK) |
||||
|
||||
req := NewRequest(t, "GET", repoURL+"/issues/new") |
||||
resp := session.MakeRequest(t, req, http.StatusOK) |
||||
htmlDoc := NewHTMLParser(t, resp.Body) |
||||
|
||||
link, exists := htmlDoc.doc.Find("form").Attr("action") |
||||
assert.True(t, exists, "The template has changed") |
||||
|
||||
postData := map[string]string{ |
||||
"_csrf": htmlDoc.GetCSRF(), |
||||
"title": "New Issue With Attachement", |
||||
"content": "some content", |
||||
"files[0]": uuid, |
||||
} |
||||
|
||||
req = NewRequestWithValues(t, "POST", link, postData) |
||||
resp = session.MakeRequest(t, req, http.StatusFound) |
||||
test.RedirectURL(resp) // check that redirect URL exists
|
||||
|
||||
//Validate that attachement is available
|
||||
req = NewRequest(t, "GET", "/attachments/"+uuid) |
||||
session.MakeRequest(t, req, http.StatusOK) |
||||
} |
@ -0,0 +1,137 @@ |
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package integrations |
||||
|
||||
import ( |
||||
"bytes" |
||||
"image" |
||||
"image/png" |
||||
"io" |
||||
"io/ioutil" |
||||
"mime/multipart" |
||||
"net/http" |
||||
"os" |
||||
"path" |
||||
"testing" |
||||
|
||||
"code.gitea.io/gitea/models" |
||||
"code.gitea.io/gitea/modules/test" |
||||
|
||||
"github.com/stretchr/testify/assert" |
||||
) |
||||
|
||||
func generateImg() bytes.Buffer { |
||||
// Generate image
|
||||
myImage := image.NewRGBA(image.Rect(0, 0, 32, 32)) |
||||
var buff bytes.Buffer |
||||
png.Encode(&buff, myImage) |
||||
return buff |
||||
} |
||||
|
||||
func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string { |
||||
body := &bytes.Buffer{} |
||||
|
||||
//Setup multi-part
|
||||
writer := multipart.NewWriter(body) |
||||
part, err := writer.CreateFormFile("file", filename) |
||||
assert.NoError(t, err) |
||||
_, err = io.Copy(part, &buff) |
||||
assert.NoError(t, err) |
||||
err = writer.Close() |
||||
assert.NoError(t, err) |
||||
|
||||
csrf := GetCSRF(t, session, repoURL) |
||||
|
||||
req := NewRequestWithBody(t, "POST", "/attachments", body) |
||||
req.Header.Add("X-Csrf-Token", csrf) |
||||
req.Header.Add("Content-Type", writer.FormDataContentType()) |
||||
resp := session.MakeRequest(t, req, expectedStatus) |
||||
|
||||
if expectedStatus != http.StatusOK { |
||||
return "" |
||||
} |
||||
var obj map[string]string |
||||
DecodeJSON(t, resp, &obj) |
||||
return obj["uuid"] |
||||
} |
||||
|
||||
func TestCreateAnonymousAttachment(t *testing.T) { |
||||
prepareTestEnv(t) |
||||
session := emptyTestSession(t) |
||||
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound) |
||||
} |
||||
|
||||
func TestCreateIssueAttachment(t *testing.T) { |
||||
prepareTestEnv(t) |
||||
const repoURL = "user2/repo1" |
||||
session := loginUser(t, "user2") |
||||
uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK) |
||||
|
||||
req := NewRequest(t, "GET", repoURL+"/issues/new") |
||||
resp := session.MakeRequest(t, req, http.StatusOK) |
||||
htmlDoc := NewHTMLParser(t, resp.Body) |
||||
|
||||
link, exists := htmlDoc.doc.Find("form").Attr("action") |
||||
assert.True(t, exists, "The template has changed") |
||||
|
||||
postData := map[string]string{ |
||||
"_csrf": htmlDoc.GetCSRF(), |
||||
"title": "New Issue With Attachment", |
||||
"content": "some content", |
||||
"files": uuid, |
||||
} |
||||
|
||||
req = NewRequestWithValues(t, "POST", link, postData) |
||||
resp = session.MakeRequest(t, req, http.StatusFound) |
||||
test.RedirectURL(resp) // check that redirect URL exists
|
||||
|
||||
//Validate that attachment is available
|
||||
req = NewRequest(t, "GET", "/attachments/"+uuid) |
||||
session.MakeRequest(t, req, http.StatusOK) |
||||
} |
||||
|
||||
func TestGetAttachment(t *testing.T) { |
||||
prepareTestEnv(t) |
||||
adminSession := loginUser(t, "user1") |
||||
user2Session := loginUser(t, "user2") |
||||
user8Session := loginUser(t, "user8") |
||||
emptySession := emptyTestSession(t) |
||||
testCases := []struct { |
||||
name string |
||||
uuid string |
||||
createFile bool |
||||
session *TestSession |
||||
want int |
||||
}{ |
||||
{"LinkedIssueUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, user2Session, http.StatusOK}, |
||||
{"LinkedCommentUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a17", true, user2Session, http.StatusOK}, |
||||
{"linked_release_uuid", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a19", true, user2Session, http.StatusOK}, |
||||
{"NotExistingUUID", "b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusNotFound}, |
||||
{"FileMissing", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusInternalServerError}, |
||||
{"NotLinked", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user2Session, http.StatusNotFound}, |
||||
{"NotLinkedAccessibleByUploader", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user8Session, http.StatusOK}, |
||||
{"PublicByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, emptySession, http.StatusOK}, |
||||
{"PrivateByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, emptySession, http.StatusNotFound}, |
||||
{"PrivateAccessibleByAdmin", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, adminSession, http.StatusOK}, |
||||
{"PrivateAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user2Session, http.StatusOK}, |
||||
{"RepoNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user8Session, http.StatusNotFound}, |
||||
{"OrgNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a21", true, user8Session, http.StatusNotFound}, |
||||
} |
||||
for _, tc := range testCases { |
||||
t.Run(tc.name, func(t *testing.T) { |
||||
//Write empty file to be available for response
|
||||
if tc.createFile { |
||||
localPath := models.AttachmentLocalPath(tc.uuid) |
||||
err := os.MkdirAll(path.Dir(localPath), os.ModePerm) |
||||
assert.NoError(t, err) |
||||
err = ioutil.WriteFile(localPath, []byte("hello world"), 0644) |
||||
assert.NoError(t, err) |
||||
} |
||||
//Actual test
|
||||
req := NewRequest(t, "GET", "/attachments/"+tc.uuid) |
||||
tc.session.MakeRequest(t, req, tc.want) |
||||
}) |
||||
} |
||||
} |
Loading…
Reference in new issue