Changeset - 3fb7c1e059ed
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 7 years ago 2018-05-29 12:25:42
mads@kiilerich.com
tests: introduce API test coverage for some invalid repo names - especially repo names that would need escaping to prevent XSS
1 file changed with 31 insertions and 0 deletions:
kallithea/tests/api/api_base.py
31
0 comments (0 inline, 0 general)
kallithea/tests/api/api_base.py
Show inline comments
 
@@ -998,6 +998,37 @@ class _BaseTestApi(object):
 
        self._compare_ok(id_, expected, given=response.body)
 
        fixture.destroy_repo(repo_name)
 

			




	
	
	
		
 
    @parameterized.expand([

			




	
	
	
		
 
        (u'',),

			




	
	
	
		
 
        (u'.',),

			




	
	
	
		
 
        (u'..',),

			




	
	
	
		
 
        (u':',),

			




	
	
	
		
 
        (u'/',),

			




	
	
	
		
 
        (u'<test>',),

			




	
	
	
		
 
    ])

			




	
	
	
		
 
    def test_api_create_repo_bad_names(self, repo_name):

			




	
	
	
		
 
        id_, params = _build_data(self.apikey, 'create_repo',

			




	
	
	
		
 
                                  repo_name=repo_name,

			




	
	
	
		
 
                                  owner=TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  repo_type=self.REPO_TYPE,

			




	
	
	
		
 
        )

			




	
	
	
		
 
        response = api_call(self, params)

			




	
	
	
		
 
        if repo_name == '/':

			




	
	
	
		
 
            expected = "repo group `` not found"

			




	
	
	
		
 
            self._compare_error(id_, expected, given=response.body)

			




	
	
	
		
 
        elif repo_name in [':', '<test>']:

			




	
	
	
		
 
            # FIXME: special characters and XSS injection should not be allowed

			




	
	
	
		
 
            expected = {

			




	
	
	
		
 
                'msg': 'Created new repository `%s`' % repo_name,

			




	
	
	
		
 
                'success': True,

			




	
	
	
		
 
                'task': None,

			




	
	
	
		
 
            }

			




	
	
	
		
 
            self._compare_ok(id_, expected, given=response.body)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            expected = "failed to create repository `%s`" % repo_name

			




	
	
	
		
 
            self._compare_error(id_, expected, given=response.body)

			




	
	
	
		
 
        fixture.destroy_repo(repo_name)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_api_create_repo_clone_uri_local(self):

			




	
	
	
		
 
        # cloning from local repo was a mis-feature - it would bypass access control

			




	
	
	
		
 
        # TODO: introduce other test coverage of actual remote cloning

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.