fix: Prevent "leak" of raw gitea API response for CSP
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
25eb0de1e7
commit
80234fd5ba
@ -97,6 +97,8 @@ func NewGiteaClient(giteaUrl string, giteaClient *gitea.Client) GiteaClient {
|
|||||||
return []byte{}, true, err
|
return []byte{}, true, err
|
||||||
} else if resp.StatusCode == 302 {
|
} else if resp.StatusCode == 302 {
|
||||||
return []byte{}, false, nil
|
return []byte{}, false, nil
|
||||||
|
} else if resp.StatusCode == 404 {
|
||||||
|
return []byte{}, false, fmt.Errorf("File does not exist")
|
||||||
} else {
|
} else {
|
||||||
return content, true, err
|
return content, true, err
|
||||||
}
|
}
|
||||||
|
@ -2,9 +2,11 @@ package repo
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
|
"net/http"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"code.gitea.io/sdk/gitea"
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -372,3 +374,32 @@ func TestPickingRepositoryValidCNAMEWithTXTLookupAndSubdirectory(t *testing.T) {
|
|||||||
t.Fatalf("Invalid repository name returned: %s", repo.Name)
|
t.Fatalf("Invalid repository name returned: %s", repo.Name)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestGetCSPForRepositoryNegativeIntegration(t *testing.T) {
|
||||||
|
defer clearCache()
|
||||||
|
|
||||||
|
httpClient := http.Client{Timeout: 10 * time.Second}
|
||||||
|
giteaClient, err := gitea.NewClient(
|
||||||
|
"https://git.polynom.me",
|
||||||
|
gitea.SetHTTPClient(&httpClient),
|
||||||
|
gitea.SetToken(""),
|
||||||
|
gitea.SetUserAgent("rio-testing"),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Failed to create Gitea client: %v", err)
|
||||||
|
}
|
||||||
|
client := NewGiteaClient("https://git.polynom.me", giteaClient)
|
||||||
|
|
||||||
|
// The repository has no CSP file, so it should return the invalid value
|
||||||
|
defaultValue := "<INVALID>"
|
||||||
|
csp := GetCSPForRepository(
|
||||||
|
"papatutuwawa",
|
||||||
|
"rio",
|
||||||
|
defaultValue,
|
||||||
|
&client,
|
||||||
|
)
|
||||||
|
|
||||||
|
if csp != defaultValue {
|
||||||
|
t.Fatalf("Unexpected CSP returned: %s", csp)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user