From 80234fd5ba6db1f1b8601c6be5988a248b217067 Mon Sep 17 00:00:00 2001 From: "Alexander \"PapaTutuWawa" Date: Thu, 11 Jan 2024 20:50:48 +0100 Subject: [PATCH] fix: Prevent "leak" of raw gitea API response for CSP --- internal/repo/client.go | 2 ++ internal/repo/repo_test.go | 31 +++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/internal/repo/client.go b/internal/repo/client.go index 57344d4..c39932d 100644 --- a/internal/repo/client.go +++ b/internal/repo/client.go @@ -97,6 +97,8 @@ func NewGiteaClient(giteaUrl string, giteaClient *gitea.Client) GiteaClient { return []byte{}, true, err } else if resp.StatusCode == 302 { return []byte{}, false, nil + } else if resp.StatusCode == 404 { + return []byte{}, false, fmt.Errorf("File does not exist") } else { return content, true, err } diff --git a/internal/repo/repo_test.go b/internal/repo/repo_test.go index bb11b28..ebdb382 100644 --- a/internal/repo/repo_test.go +++ b/internal/repo/repo_test.go @@ -2,9 +2,11 @@ package repo import ( "errors" + "net/http" "testing" "time" + "code.gitea.io/sdk/gitea" log "github.com/sirupsen/logrus" ) @@ -372,3 +374,32 @@ func TestPickingRepositoryValidCNAMEWithTXTLookupAndSubdirectory(t *testing.T) { t.Fatalf("Invalid repository name returned: %s", repo.Name) } } + +func TestGetCSPForRepositoryNegativeIntegration(t *testing.T) { + defer clearCache() + + httpClient := http.Client{Timeout: 10 * time.Second} + giteaClient, err := gitea.NewClient( + "https://git.polynom.me", + gitea.SetHTTPClient(&httpClient), + gitea.SetToken(""), + gitea.SetUserAgent("rio-testing"), + ) + if err != nil { + t.Fatalf("Failed to create Gitea client: %v", err) + } + client := NewGiteaClient("https://git.polynom.me", giteaClient) + + // The repository has no CSP file, so it should return the invalid value + defaultValue := "" + csp := GetCSPForRepository( + "papatutuwawa", + "rio", + defaultValue, + &client, + ) + + if csp != defaultValue { + t.Fatalf("Unexpected CSP returned: %s", csp) + } +}