From c27fb08cb00f130870d6059a0ebb67b505a3c252 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sun, 12 Nov 2023 20:01:24 +0100 Subject: [PATCH] [GITEA] test POST /{username}/{reponame}/{tags,release}/delete Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers (cherry picked from commit 78dcbb62fe87abe044034d880c9e8c22b44c2c98) (cherry picked from commit 6707c08c1791926060a7735529f1945650030257) (cherry picked from commit 68da5a9cd82415caedac15a07e38206f7bd6fbde) --- tests/integration/release_test.go | 38 +++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/integration/release_test.go b/tests/integration/release_test.go index 439e315347..96fcff0963 100644 --- a/tests/integration/release_test.go +++ b/tests/integration/release_test.go @@ -93,6 +93,44 @@ func TestCreateRelease(t *testing.T) { checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.1", translation.NewLocale("en-US").Tr("repo.release.stable"), 4) } +func TestDeleteRelease(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 57, OwnerName: "user2", LowerName: "repo-release"}) + release := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{TagName: "v2.0"}) + assert.False(t, release.IsTag) + + // Using the ID of a comment that does not belong to the repository must fail + session5 := loginUser(t, "user5") + otherRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{OwnerName: "user5", LowerName: "repo4"}) + + req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/releases/delete?id=%d", otherRepo.Link(), release.ID), map[string]string{ + "_csrf": GetCSRF(t, session5, otherRepo.Link()), + }) + session5.MakeRequest(t, req, http.StatusNotFound) + + session := loginUser(t, "user2") + req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/releases/delete?id=%d", repo.Link(), release.ID), map[string]string{ + "_csrf": GetCSRF(t, session, repo.Link()), + }) + session.MakeRequest(t, req, http.StatusOK) + release = unittest.AssertExistsAndLoadBean(t, &repo_model.Release{ID: release.ID}) + + if assert.True(t, release.IsTag) { + req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/tags/delete?id=%d", otherRepo.Link(), release.ID), map[string]string{ + "_csrf": GetCSRF(t, session5, otherRepo.Link()), + }) + session5.MakeRequest(t, req, http.StatusNotFound) + + req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/tags/delete?id=%d", repo.Link(), release.ID), map[string]string{ + "_csrf": GetCSRF(t, session, repo.Link()), + }) + session.MakeRequest(t, req, http.StatusOK) + + unittest.AssertNotExistsBean(t, &repo_model.Release{ID: release.ID}) + } +} + func TestCreateReleasePreRelease(t *testing.T) { defer tests.PrepareTestEnv(t)()