mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-23 06:43:34 +01:00
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they were migrated from another forge instance. In the migration code, there's no sanitization check for author names, so they could contain HTML tags and thus needs to be properely escaped. (cherry picked from commitca798e4cc2
) (cherry picked from commitd3de80b9cc
)
This commit is contained in:
parent
4fdd0ed728
commit
672caa6813
3 changed files with 32 additions and 0 deletions
|
@ -0,0 +1,9 @@
|
|||
-
|
||||
id: 1000
|
||||
type: 32 # dismiss review
|
||||
poster_id: 2
|
||||
issue_id: 2 # in repo_id 1
|
||||
content: "XSS time!"
|
||||
review_id: 1000
|
||||
created_unix: 1700000000
|
||||
updated_unix: 1700000000
|
|
@ -0,0 +1,8 @@
|
|||
-
|
||||
id: 1000
|
||||
type: 1
|
||||
issue_id: 2
|
||||
original_author: "Otto <script class='evil'>alert('Oh no!')</script>"
|
||||
content: "XSS time!"
|
||||
updated_unix: 1700000000
|
||||
created_unix: 1700000000
|
|
@ -13,6 +13,7 @@ import (
|
|||
"testing"
|
||||
"time"
|
||||
|
||||
issues_model "code.gitea.io/gitea/models/issues"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
"code.gitea.io/gitea/modules/git"
|
||||
|
@ -112,3 +113,17 @@ func TestXSSWikiLastCommitInfo(t *testing.T) {
|
|||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestXSSReviewDismissed(t *testing.T) {
|
||||
defer tests.AddFixtures("tests/integration/fixtures/TestXSSReviewDismissed/")()
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
review := unittest.AssertExistsAndLoadBean(t, &issues_model.Review{ID: 1000})
|
||||
|
||||
req := NewRequest(t, http.MethodGet, fmt.Sprintf("/user2/repo1/pulls/%d", +review.IssueID))
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
htmlDoc := NewHTMLParser(t, resp.Body)
|
||||
|
||||
htmlDoc.AssertElement(t, "script.evil", false)
|
||||
assert.Contains(t, htmlDoc.Find("#issuecomment-1000 .dismissed-message").Text(), `dismissed Otto <script class='evil'>alert('Oh no!')</script>’s review`)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue