gitea/tests/integration/xss_test.go

// Copyright 2017 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package integration

import (
	"net/http"
	"testing"

	"code.gitea.io/gitea/models/unittest"
	user_model "code.gitea.io/gitea/models/user"
	"code.gitea.io/gitea/tests"

	"github.com/stretchr/testify/assert"
)

func TestXSSUserFullName(t *testing.T) {
	defer tests.PrepareTestEnv(t)()
	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
	const fullName = `name & <script class="evil">alert('Oh no!');</script>`

	session := loginUser(t, user.Name)
	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
		"_csrf":     GetCSRF(t, session, "/user/settings"),
		"name":      user.Name,
		"full_name": fullName,
		"email":     user.Email,
		"language":  "en-US",
	})
	session.MakeRequest(t, req, http.StatusSeeOther)

	req = NewRequestf(t, "GET", "/%s", user.Name)
	resp := session.MakeRequest(t, req, http.StatusOK)
	htmlDoc := NewHTMLParser(t, resp.Body)
	assert.EqualValues(t, 0, htmlDoc.doc.Find("script.evil").Length())
	assert.EqualValues(t, fullName,
		htmlDoc.doc.Find("div.content").Find(".header.text.center").Text(),
	)
}
Fix username rendering bug (#2122) * Fix username rendering bug * XSS integration test * Migration to unescape user full names 2017-07-12 10:58:52 -04:00			`// Copyright 2017 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 13:20:29 -05:00			`// SPDX-License-Identifier: MIT`
Fix username rendering bug (#2122) * Fix username rendering bug * XSS integration test * Migration to unescape user full names 2017-07-12 10:58:52 -04:00
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 15:18:23 -04:00			`package integration`
Fix username rendering bug (#2122) * Fix username rendering bug * XSS integration test * Migration to unescape user full names 2017-07-12 10:58:52 -04:00
			`import (`
			`"net/http"`
			`"testing"`

Decouple unit test, remove intermediate `unittestbridge` package (#17662) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2021-11-16 16:53:21 +08:00			`"code.gitea.io/gitea/models/unittest"`
Move user related model into models/user (#17781) * Move user related model into models/user * Fix lint for windows * Fix windows lint * Fix windows lint * Move some tests in models * Merge 2021-11-24 17:49:20 +08:00			`user_model "code.gitea.io/gitea/models/user"`
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 15:18:23 -04:00			`"code.gitea.io/gitea/tests"`
Fix username rendering bug (#2122) * Fix username rendering bug * XSS integration test * Migration to unescape user full names 2017-07-12 10:58:52 -04:00
			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestXSSUserFullName(t *testing.T) {`
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 15:18:23 -04:00			`defer tests.PrepareTestEnv(t)()`
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net> 2022-08-16 10:22:25 +08:00			`user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})`
Fix username rendering bug (#2122) * Fix username rendering bug * XSS integration test * Migration to unescape user full names 2017-07-12 10:58:52 -04:00			const fullName = `name & <script class="evil">alert('Oh no!');</script>`

			`session := loginUser(t, user.Name)`
			`req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{`
			`"_csrf": GetCSRF(t, session, "/user/settings"),`
			`"name": user.Name,`
			`"full_name": fullName,`
			`"email": user.Email,`
User Settings: Ignore empty language codes & validate (#13755) 2020-12-04 07:20:30 +01:00			`"language": "en-US",`
Fix username rendering bug (#2122) * Fix username rendering bug * XSS integration test * Migration to unescape user full names 2017-07-12 10:58:52 -04:00			`})`
Update HTTP status codes to modern codes (#18063) * 2xx/3xx/4xx/5xx -> http.Status... * http.StatusFound -> http.StatusTemporaryRedirect * http.StatusMovedPermanently -> http.StatusPermanentRedirect 2022-03-23 05:54:07 +01:00			`session.MakeRequest(t, req, http.StatusSeeOther)`
Fix username rendering bug (#2122) * Fix username rendering bug * XSS integration test * Migration to unescape user full names 2017-07-12 10:58:52 -04:00
			`req = NewRequestf(t, "GET", "/%s", user.Name)`
			`resp := session.MakeRequest(t, req, http.StatusOK)`
			`htmlDoc := NewHTMLParser(t, resp.Body)`
			`assert.EqualValues(t, 0, htmlDoc.doc.Find("script.evil").Length())`
			`assert.EqualValues(t, fullName,`
			`htmlDoc.doc.Find("div.content").Find(".header.text.center").Text(),`
			`)`
			`}`