2022-04-08 13:21:05 +08:00
// Copyright 2017 The Gitea Authors. All rights reserved.
2022-11-27 13:20:29 -05:00
// SPDX-License-Identifier: MIT
2022-04-08 13:21:05 +08:00
2022-09-02 15:18:23 -04:00
package integration
2022-04-08 13:21:05 +08:00
import (
"net/http"
"strings"
"testing"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/setting"
2022-09-02 15:18:23 -04:00
"code.gitea.io/gitea/tests"
2022-04-08 13:21:05 +08:00
"github.com/stretchr/testify/assert"
)
func TestCsrfProtection ( t * testing . T ) {
2022-09-02 15:18:23 -04:00
defer tests . PrepareTestEnv ( t ) ( )
2022-04-08 13:21:05 +08:00
// test web form csrf via form
2022-08-16 10:22:25 +08:00
user := unittest . AssertExistsAndLoadBean ( t , & user_model . User { ID : 2 } )
2022-04-08 13:21:05 +08:00
session := loginUser ( t , user . Name )
req := NewRequestWithValues ( t , "POST" , "/user/settings" , map [ string ] string {
"_csrf" : "fake_csrf" ,
} )
session . MakeRequest ( t , req , http . StatusSeeOther )
resp := session . MakeRequest ( t , req , http . StatusSeeOther )
loc := resp . Header ( ) . Get ( "Location" )
assert . Equal ( t , setting . AppSubURL + "/" , loc )
resp = session . MakeRequest ( t , NewRequest ( t , "GET" , loc ) , http . StatusOK )
htmlDoc := NewHTMLParser ( t , resp . Body )
assert . Equal ( t , "Bad Request: invalid CSRF token" ,
strings . TrimSpace ( htmlDoc . doc . Find ( ".ui.message" ) . Text ( ) ) ,
)
// test web form csrf via header. TODO: should use an UI api to test
req = NewRequest ( t , "POST" , "/user/settings" )
req . Header . Add ( "X-Csrf-Token" , "fake_csrf" )
session . MakeRequest ( t , req , http . StatusSeeOther )
resp = session . MakeRequest ( t , req , http . StatusSeeOther )
loc = resp . Header ( ) . Get ( "Location" )
assert . Equal ( t , setting . AppSubURL + "/" , loc )
resp = session . MakeRequest ( t , NewRequest ( t , "GET" , loc ) , http . StatusOK )
htmlDoc = NewHTMLParser ( t , resp . Body )
assert . Equal ( t , "Bad Request: invalid CSRF token" ,
strings . TrimSpace ( htmlDoc . doc . Find ( ".ui.message" ) . Text ( ) ) ,
)
}