gitea
Зеркало из https://github.com/go-gitea/gitea
115 строк · 4.0 Кб
1// Copyright 2019 The Gitea Authors. All rights reserved.
2// SPDX-License-Identifier: MIT
3
4package migrations
5
6import (
7"net"
8"path/filepath"
9"testing"
10
11"code.gitea.io/gitea/models/unittest"
12user_model "code.gitea.io/gitea/models/user"
13"code.gitea.io/gitea/modules/setting"
14
15"github.com/stretchr/testify/assert"
16)
17
18func TestMigrateWhiteBlocklist(t *testing.T) {
19assert.NoError(t, unittest.PrepareTestDatabase())
20
21adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})
22nonAdminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
23
24setting.Migrations.AllowedDomains = "github.com"
25setting.Migrations.AllowLocalNetworks = false
26assert.NoError(t, Init())
27
28err := IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)
29assert.Error(t, err)
30
31err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)
32assert.NoError(t, err)
33
34err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)
35assert.NoError(t, err)
36
37setting.Migrations.AllowedDomains = ""
38setting.Migrations.BlockedDomains = "github.com"
39assert.NoError(t, Init())
40
41err = IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)
42assert.NoError(t, err)
43
44err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)
45assert.Error(t, err)
46
47err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)
48assert.Error(t, err)
49
50setting.Migrations.AllowLocalNetworks = true
51assert.NoError(t, Init())
52err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)
53assert.NoError(t, err)
54
55old := setting.ImportLocalPaths
56setting.ImportLocalPaths = false
57
58err = IsMigrateURLAllowed("/home/foo/bar/goo", adminUser)
59assert.Error(t, err)
60
61setting.ImportLocalPaths = true
62abs, err := filepath.Abs(".")
63assert.NoError(t, err)
64
65err = IsMigrateURLAllowed(abs, adminUser)
66assert.NoError(t, err)
67
68err = IsMigrateURLAllowed(abs, nonAdminUser)
69assert.Error(t, err)
70
71nonAdminUser.AllowImportLocal = true
72err = IsMigrateURLAllowed(abs, nonAdminUser)
73assert.NoError(t, err)
74
75setting.ImportLocalPaths = old
76}
77
78func TestAllowBlockList(t *testing.T) {
79init := func(allow, block string, local bool) {
80setting.Migrations.AllowedDomains = allow
81setting.Migrations.BlockedDomains = block
82setting.Migrations.AllowLocalNetworks = local
83assert.NoError(t, Init())
84}
85
86// default, allow all external, block none, no local networks
87init("", "", false)
88assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
89assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
90
91// allow all including local networks (it could lead to SSRF in production)
92init("", "", true)
93assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
94assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
95
96// allow wildcard, block some subdomains. if the domain name is allowed, then the local network check is skipped
97init("*.domain.com", "blocked.domain.com", false)
98assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
99assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
100assert.Error(t, checkByAllowBlockList("blocked.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
101assert.Error(t, checkByAllowBlockList("sub.other.com", []net.IP{net.ParseIP("1.2.3.4")}))
102
103// allow wildcard (it could lead to SSRF in production)
104init("*", "", false)
105assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
106assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
107
108// local network can still be blocked
109init("*", "127.0.0.*", false)
110assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
111assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
112
113// reset
114init("", "", false)
115}
116