chore: remove illegal git usage (#6488)

This is no longer possible in future go-git versions, so lets hardcode it

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6488
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>

routers/web/repo/wiki_test.go

@@ -86,7 +86,7 @@ func TestWiki(t *testing.T) {
 	Wiki(ctx)
 	assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
 	assert.EqualValues(t, "Home", ctx.Data["Title"])
-	assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"])
+	assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
 }
 
 func TestWikiPages(t *testing.T) {
@@ -96,7 +96,7 @@ func TestWikiPages(t *testing.T) {
 	contexttest.LoadRepo(t, ctx, 1)
 	WikiPages(ctx)
 	assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
-	assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"])
+	assertPagesMetas(t, []string{"Home", "Long Page", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
 }
 
 func TestNewWiki(t *testing.T) {

tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master

@@ -1 +1 @@
-d49ac742d44063dcf69d4e0afe725813b777dd89
+f54f5a6b7c4f83b606600e43186165854f189530

tests/integration/api_wiki_test.go

@@ -224,6 +224,29 @@ func TestAPIListWikiPages(t *testing.T) {
 				Message: "add unescaped file\n",
 			},
 		},
+		{
+			Title:   "XSS",
+			HTMLURL: meta[5].HTMLURL,
+			SubURL:  "XSS",
+			LastCommit: &api.WikiCommit{
+				ID: "f54f5a6b7c4f83b606600e43186165854f189530",
+				Author: &api.CommitUser{
+					Identity: api.Identity{
+						Name:  "Gusted<script class=\"evil\">alert('Oh no!');</script>",
+						Email: "valid@example.org",
+					},
+					Date: "2024-01-31T00:00:00Z",
+				},
+				Committer: &api.CommitUser{
+					Identity: api.Identity{
+						Name:  "Gusted<script class=\"evil\">alert('Oh no!');</script>",
+						Email: "valid@example.org",
+					},
+					Date: "2024-01-31T00:00:00Z",
+				},
+				Message: "Yay XSS",
+			},
+		},
 	}
 
 	assert.Equal(t, dummymeta, meta)

tests/integration/wiki_test.go

@@ -61,7 +61,7 @@ func Test_RepoWikiPages(t *testing.T) {
 
 	doc := NewHTMLParser(t, resp.Body)
 	expectedPagePaths := []string{
-		"Home", "Long-Page", "Page-With-Image", "Page-With-Spaced-Name", "Unescaped-File",
+		"Home", "Long-Page", "Page-With-Image", "Page-With-Spaced-Name", "Unescaped-File", "XSS",
 	}
 	doc.Find("tr").Each(func(i int, s *goquery.Selection) {
 		firstAnchor := s.Find("a").First()

tests/integration/xss_test.go

@@ -4,25 +4,16 @@
 package integration
 
 import (
-	"context"
 	"fmt"
 	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
 	"testing"
-	"time"
 
 	issues_model "code.gitea.io/gitea/models/issues"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/tests"
 
-	gogit "github.com/go-git/go-git/v5"
-	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
 func TestXSSUserFullName(t *testing.T) {
@@ -50,49 +41,12 @@ func TestXSSUserFullName(t *testing.T) {
 }
 
 func TestXSSWikiLastCommitInfo(t *testing.T) {
-	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+	defer tests.PrepareTestEnv(t)()
-		// Prepare the environment.
-		dstPath := t.TempDir()
-		r := fmt.Sprintf("%suser2/repo1.wiki.git", u.String())
-		u, err := url.Parse(r)
-		require.NoError(t, err)
-		u.User = url.UserPassword("user2", userPassword)
-		require.NoError(t, git.CloneWithArgs(context.Background(), git.AllowLFSFiltersArgs(), u.String(), dstPath, git.CloneRepoOptions{}))
-
-		// Use go-git here, because using git wouldn't work, it has code to remove
-		// `<`, `>` and `\n` in user names. Even though this is permitted and
-		// wouldn't result in a error by a Git server.
-		gitRepo, err := gogit.PlainOpen(dstPath)
-		require.NoError(t, err)
-
-		w, err := gitRepo.Worktree()
-		require.NoError(t, err)
-
-		filename := filepath.Join(dstPath, "Home.md")
-		err = os.WriteFile(filename, []byte("Oh, a XSS attack?"), 0o644)
-		require.NoError(t, err)
-
-		_, err = w.Add("Home.md")
-		require.NoError(t, err)
-
-		_, err = w.Commit("Yay XSS", &gogit.CommitOptions{
-			Author: &object.Signature{
-				Name:  `Gusted<script class="evil">alert('Oh no!');</script>`,
-				Email: "valid@example.org",
-				When:  time.Date(2024, time.January, 31, 0, 0, 0, 0, time.UTC),
-			},
-		})
-		require.NoError(t, err)
-
-		// Push.
-		_, _, err = git.NewCommand(git.DefaultContext, "push").AddArguments(git.ToTrustedCmdArgs([]string{"origin", "master"})...).RunStdString(&git.RunOpts{Dir: dstPath})
-		require.NoError(t, err)
-
 	// Check on page view.
 	t.Run("Page view", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home")
+		req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS")
 		resp := MakeRequest(t, req, http.StatusOK)
 		htmlDoc := NewHTMLParser(t, resp.Body)
 
@@ -104,14 +58,13 @@ func TestXSSWikiLastCommitInfo(t *testing.T) {
 	t.Run("Revision page", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home?action=_revision")
+		req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS?action=_revision")
 		resp := MakeRequest(t, req, http.StatusOK)
 		htmlDoc := NewHTMLParser(t, resp.Body)
 
 		htmlDoc.AssertElement(t, "script.evil", false)
 		assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
 	})
-	})
 }
 
 func TestXSSReviewDismissed(t *testing.T) {