fix: Prevent "leak" of raw gitea API response for CSP
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful

This commit is contained in:
PapaTutuWawa 2024-01-11 20:50:48 +01:00
parent 25eb0de1e7
commit 80234fd5ba
2 changed files with 33 additions and 0 deletions

View File

@ -97,6 +97,8 @@ func NewGiteaClient(giteaUrl string, giteaClient *gitea.Client) GiteaClient {
return []byte{}, true, err return []byte{}, true, err
} else if resp.StatusCode == 302 { } else if resp.StatusCode == 302 {
return []byte{}, false, nil return []byte{}, false, nil
} else if resp.StatusCode == 404 {
return []byte{}, false, fmt.Errorf("File does not exist")
} else { } else {
return content, true, err return content, true, err
} }

View File

@ -2,9 +2,11 @@ package repo
import ( import (
"errors" "errors"
"net/http"
"testing" "testing"
"time" "time"
"code.gitea.io/sdk/gitea"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
) )
@ -372,3 +374,32 @@ func TestPickingRepositoryValidCNAMEWithTXTLookupAndSubdirectory(t *testing.T) {
t.Fatalf("Invalid repository name returned: %s", repo.Name) t.Fatalf("Invalid repository name returned: %s", repo.Name)
} }
} }
func TestGetCSPForRepositoryNegativeIntegration(t *testing.T) {
defer clearCache()
httpClient := http.Client{Timeout: 10 * time.Second}
giteaClient, err := gitea.NewClient(
"https://git.polynom.me",
gitea.SetHTTPClient(&httpClient),
gitea.SetToken(""),
gitea.SetUserAgent("rio-testing"),
)
if err != nil {
t.Fatalf("Failed to create Gitea client: %v", err)
}
client := NewGiteaClient("https://git.polynom.me", giteaClient)
// The repository has no CSP file, so it should return the invalid value
defaultValue := "<INVALID>"
csp := GetCSPForRepository(
"papatutuwawa",
"rio",
defaultValue,
&client,
)
if csp != defaultValue {
t.Fatalf("Unexpected CSP returned: %s", csp)
}
}