fix: Prevent "leak" of raw gitea API response for CSP

internal/repo/client.go

@@ -97,6 +97,8 @@ func NewGiteaClient(giteaUrl string, giteaClient *gitea.Client) GiteaClient {
 				return []byte{}, true, err
 			} else if resp.StatusCode == 302 {
 				return []byte{}, false, nil
+			} else if resp.StatusCode == 404 {
+				return []byte{}, false, fmt.Errorf("File does not exist")
 			} else {
 				return content, true, err
 			}

internal/repo/repo_test.go

@@ -2,9 +2,11 @@ package repo
 
 import (
 	"errors"
+	"net/http"
 	"testing"
 	"time"
 
+	"code.gitea.io/sdk/gitea"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -372,3 +374,32 @@ func TestPickingRepositoryValidCNAMEWithTXTLookupAndSubdirectory(t *testing.T) {
 		t.Fatalf("Invalid repository name returned: %s", repo.Name)
 	}
 }
+
+func TestGetCSPForRepositoryNegativeIntegration(t *testing.T) {
+	defer clearCache()
+
+	httpClient := http.Client{Timeout: 10 * time.Second}
+	giteaClient, err := gitea.NewClient(
+		"https://git.polynom.me",
+		gitea.SetHTTPClient(&httpClient),
+		gitea.SetToken(""),
+		gitea.SetUserAgent("rio-testing"),
+	)
+	if err != nil {
+		t.Fatalf("Failed to create Gitea client: %v", err)
+	}
+	client := NewGiteaClient("https://git.polynom.me", giteaClient)
+
+	// The repository has no CSP file, so it should return the invalid value
+	defaultValue := "<INVALID>"
+	csp := GetCSPForRepository(
+		"papatutuwawa",
+		"rio",
+		defaultValue,
+		&client,
+	)
+
+	if csp != defaultValue {
+		t.Fatalf("Unexpected CSP returned: %s", csp)
+	}
+}