[GITEA] test GET /{owner}/{repo}/comments/{id}/attachments

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers

(cherry picked from commit 888dda12cf9bc95f9ef85ba5a518cf40152e07ea)
(cherry picked from commit aceeca55da0c2e94f3e495c4a60148411a27c4ac)
(cherry picked from commit ab7e649668dfcabfb03e2a87c3c4641f8d2fa6ff)
(cherry picked from commit 7fb8598c7df683d701ca04d01d9ff52db1e39298)
(cherry picked from commit fb4961e2a5d6b249b0761cbabb80d68106764835)
(cherry picked from commit 9fe856a29a1e233d8cd15edcfd03847ca9b4c7d8)
(cherry picked from commit 6db21c013dd4003937532587471c2411622dd384)
(cherry picked from commit 72c84eb19c0ee6f7eaf13162991b79249e0d6ed7)
(cherry picked from commit 07ebc9761dc2633dbb3fea0b85abd047dcbec9e8)
(cherry picked from commit 0c8f4840022fcf521dc2264b8a2e8f9a9833b212)
(cherry picked from commit 25df7d89bc7d726b6d18d135f8cef281702b6267)
(cherry picked from commit 0f436a0d229164ce59cb563cf0d5a0607eaae3ed)
(cherry picked from commit 6109f8b6c10c7eb9bf1de7658867473ed5bb5069)
This commit is contained in:
Loïc Dachary 2023-11-12 13:52:48 +01:00 committed by Earl Warren
parent 3f71a0ef02
commit 21c4d844f3
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG key ID: 0579CB2928A78A00

View file

@ -227,6 +227,56 @@ func TestIssueCommentDelete(t *testing.T) {
unittest.AssertNotExistsBean(t, &issues_model.Comment{ID: commentID})
}
func TestIssueCommentAttachment(t *testing.T) {
defer tests.PrepareTestEnv(t)()
const repoURL = "user2/repo1"
const content = "Test comment 4"
const status = ""
session := loginUser(t, "user2")
issueURL := testNewIssue(t, session, "user2", "repo1", "Title", "Description")
req := NewRequest(t, "GET", issueURL)
resp := session.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
link, exists := htmlDoc.doc.Find("#comment-form").Attr("action")
assert.True(t, exists, "The template has changed")
uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK)
commentCount := htmlDoc.doc.Find(".comment-list .comment .render-content").Length()
req = NewRequestWithValues(t, "POST", link, map[string]string{
"_csrf": htmlDoc.GetCSRF(),
"content": content,
"status": status,
"files": uuid,
})
resp = session.MakeRequest(t, req, http.StatusOK)
req = NewRequest(t, "GET", test.RedirectURL(resp))
resp = session.MakeRequest(t, req, http.StatusOK)
htmlDoc = NewHTMLParser(t, resp.Body)
val := htmlDoc.doc.Find(".comment-list .comment .render-content p").Eq(commentCount).Text()
assert.Equal(t, content, val)
idAttr, has := htmlDoc.doc.Find(".comment-list .comment").Eq(commentCount).Attr("id")
idStr := idAttr[strings.LastIndexByte(idAttr, '-')+1:]
assert.True(t, has)
id, err := strconv.Atoi(idStr)
assert.NoError(t, err)
assert.NotEqual(t, 0, id)
req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s/comments/%d/attachments", "user2", "repo1", id))
session.MakeRequest(t, req, http.StatusOK)
// Using the ID of a comment that does not belong to the repository must fail
req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s/comments/%d/attachments", "user5", "repo4", id))
session.MakeRequest(t, req, http.StatusNotFound)
}
func TestIssueCommentUpdate(t *testing.T) {
defer tests.PrepareTestEnv(t)()
session := loginUser(t, "user2")