diff --git a/routers/web/repo/wiki_test.go b/routers/web/repo/wiki_test.go
index 47bad6d8e0..0c49e7d902 100644
--- a/routers/web/repo/wiki_test.go
+++ b/routers/web/repo/wiki_test.go
@@ -86,7 +86,7 @@ func TestWiki(t *testing.T) {
Wiki(ctx)
assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
assert.EqualValues(t, "Home", ctx.Data["Title"])
- assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"])
+ assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
}
func TestWikiPages(t *testing.T) {
@@ -96,7 +96,7 @@ func TestWikiPages(t *testing.T) {
contexttest.LoadRepo(t, ctx, 1)
WikiPages(ctx)
assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
- assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"])
+ assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
}
func TestNewWiki(t *testing.T) {
diff --git a/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/a6/dc41d9e96df65286a79f5625ec51635e47f752 b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/a6/dc41d9e96df65286a79f5625ec51635e47f752
new file mode 100644
index 0000000000..1aecac1f1b
Binary files /dev/null and b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/a6/dc41d9e96df65286a79f5625ec51635e47f752 differ
diff --git a/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/df/6b6d9a97608bc8b56d4f30cde5af00f0681ccf b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/df/6b6d9a97608bc8b56d4f30cde5af00f0681ccf
new file mode 100644
index 0000000000..3927778ddf
Binary files /dev/null and b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/df/6b6d9a97608bc8b56d4f30cde5af00f0681ccf differ
diff --git a/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/f5/4f5a6b7c4f83b606600e43186165854f189530 b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/f5/4f5a6b7c4f83b606600e43186165854f189530
new file mode 100644
index 0000000000..a69fc57996
Binary files /dev/null and b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/f5/4f5a6b7c4f83b606600e43186165854f189530 differ
diff --git a/tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master b/tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master
index c804802cbf..bd0c0d7efe 100644
--- a/tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master
+++ b/tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master
@@ -1 +1 @@
-d49ac742d44063dcf69d4e0afe725813b777dd89
+f54f5a6b7c4f83b606600e43186165854f189530
diff --git a/tests/integration/api_wiki_test.go b/tests/integration/api_wiki_test.go
index e086fa26af..638b90a4aa 100644
--- a/tests/integration/api_wiki_test.go
+++ b/tests/integration/api_wiki_test.go
@@ -224,6 +224,29 @@ func TestAPIListWikiPages(t *testing.T) {
Message: "add unescaped file\n",
},
},
+ {
+ Title: "XSS",
+ HTMLURL: meta[5].HTMLURL,
+ SubURL: "XSS",
+ LastCommit: &api.WikiCommit{
+ ID: "f54f5a6b7c4f83b606600e43186165854f189530",
+ Author: &api.CommitUser{
+ Identity: api.Identity{
+ Name: "Gusted",
+ Email: "valid@example.org",
+ },
+ Date: "2024-01-31T00:00:00Z",
+ },
+ Committer: &api.CommitUser{
+ Identity: api.Identity{
+ Name: "Gusted",
+ Email: "valid@example.org",
+ },
+ Date: "2024-01-31T00:00:00Z",
+ },
+ Message: "Yay XSS",
+ },
+ },
}
assert.Equal(t, dummymeta, meta)
diff --git a/tests/integration/wiki_test.go b/tests/integration/wiki_test.go
index 3e30b94486..30170086d2 100644
--- a/tests/integration/wiki_test.go
+++ b/tests/integration/wiki_test.go
@@ -61,7 +61,7 @@ func Test_RepoWikiPages(t *testing.T) {
doc := NewHTMLParser(t, resp.Body)
expectedPagePaths := []string{
- "Home", "Long-Page", "Page-With-Image", "Page-With-Spaced-Name", "Unescaped-File",
+ "Home", "Long-Page", "Page-With-Image", "Page-With-Spaced-Name", "Unescaped-File", "XSS",
}
doc.Find("tr").Each(func(i int, s *goquery.Selection) {
firstAnchor := s.Find("a").First()
diff --git a/tests/integration/xss_test.go b/tests/integration/xss_test.go
index 70038cf560..6ac5b062f2 100644
--- a/tests/integration/xss_test.go
+++ b/tests/integration/xss_test.go
@@ -4,25 +4,16 @@
package integration
import (
- "context"
"fmt"
"net/http"
- "net/url"
- "os"
- "path/filepath"
"testing"
- "time"
issues_model "code.gitea.io/gitea/models/issues"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/tests"
- gogit "github.com/go-git/go-git/v5"
- "github.com/go-git/go-git/v5/plumbing/object"
"github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
)
func TestXSSUserFullName(t *testing.T) {
@@ -50,67 +41,29 @@ func TestXSSUserFullName(t *testing.T) {
}
func TestXSSWikiLastCommitInfo(t *testing.T) {
- onGiteaRun(t, func(t *testing.T, u *url.URL) {
- // Prepare the environment.
- dstPath := t.TempDir()
- r := fmt.Sprintf("%suser2/repo1.wiki.git", u.String())
- u, err := url.Parse(r)
- require.NoError(t, err)
- u.User = url.UserPassword("user2", userPassword)
- require.NoError(t, git.CloneWithArgs(context.Background(), git.AllowLFSFiltersArgs(), u.String(), dstPath, git.CloneRepoOptions{}))
+ defer tests.PrepareTestEnv(t)()
+ // Check on page view.
+ t.Run("Page view", func(t *testing.T) {
+ defer tests.PrintCurrentTest(t)()
- // Use go-git here, because using git wouldn't work, it has code to remove
- // `<`, `>` and `\n` in user names. Even though this is permitted and
- // wouldn't result in a error by a Git server.
- gitRepo, err := gogit.PlainOpen(dstPath)
- require.NoError(t, err)
+ req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS")
+ resp := MakeRequest(t, req, http.StatusOK)
+ htmlDoc := NewHTMLParser(t, resp.Body)
- w, err := gitRepo.Worktree()
- require.NoError(t, err)
+ htmlDoc.AssertElement(t, "script.evil", false)
+ assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted edited this page 2024-01-31`)
+ })
- filename := filepath.Join(dstPath, "Home.md")
- err = os.WriteFile(filename, []byte("Oh, a XSS attack?"), 0o644)
- require.NoError(t, err)
+ // Check on revisions page.
+ t.Run("Revision page", func(t *testing.T) {
+ defer tests.PrintCurrentTest(t)()
- _, err = w.Add("Home.md")
- require.NoError(t, err)
+ req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS?action=_revision")
+ resp := MakeRequest(t, req, http.StatusOK)
+ htmlDoc := NewHTMLParser(t, resp.Body)
- _, err = w.Commit("Yay XSS", &gogit.CommitOptions{
- Author: &object.Signature{
- Name: `Gusted`,
- Email: "valid@example.org",
- When: time.Date(2024, time.January, 31, 0, 0, 0, 0, time.UTC),
- },
- })
- require.NoError(t, err)
-
- // Push.
- _, _, err = git.NewCommand(git.DefaultContext, "push").AddArguments(git.ToTrustedCmdArgs([]string{"origin", "master"})...).RunStdString(&git.RunOpts{Dir: dstPath})
- require.NoError(t, err)
-
- // Check on page view.
- t.Run("Page view", func(t *testing.T) {
- defer tests.PrintCurrentTest(t)()
-
- req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home")
- resp := MakeRequest(t, req, http.StatusOK)
- htmlDoc := NewHTMLParser(t, resp.Body)
-
- htmlDoc.AssertElement(t, "script.evil", false)
- assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted edited this page 2024-01-31`)
- })
-
- // Check on revisions page.
- t.Run("Revision page", func(t *testing.T) {
- defer tests.PrintCurrentTest(t)()
-
- req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home?action=_revision")
- resp := MakeRequest(t, req, http.StatusOK)
- htmlDoc := NewHTMLParser(t, resp.Body)
-
- htmlDoc.AssertElement(t, "script.evil", false)
- assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted edited this page 2024-01-31`)
- })
+ htmlDoc.AssertElement(t, "script.evil", false)
+ assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted edited this page 2024-01-31`)
})
}