gitea
Зеркало из https://github.com/go-gitea/gitea
115 строк · 4.0 Кб
1// Copyright 2019 The Gitea Authors. All rights reserved.2// SPDX-License-Identifier: MIT3package migrations5import (7"net"8"path/filepath"9"testing"10"code.gitea.io/gitea/models/unittest"12user_model "code.gitea.io/gitea/models/user"13"code.gitea.io/gitea/modules/setting"14"github.com/stretchr/testify/assert"16)17func TestMigrateWhiteBlocklist(t *testing.T) {19assert.NoError(t, unittest.PrepareTestDatabase())20adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})22nonAdminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})23setting.Migrations.AllowedDomains = "github.com"25setting.Migrations.AllowLocalNetworks = false26assert.NoError(t, Init())27err := IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)29assert.Error(t, err)30err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)32assert.NoError(t, err)33err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)35assert.NoError(t, err)36setting.Migrations.AllowedDomains = ""38setting.Migrations.BlockedDomains = "github.com"39assert.NoError(t, Init())40err = IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser)42assert.NoError(t, err)43err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)45assert.Error(t, err)46err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)48assert.Error(t, err)49setting.Migrations.AllowLocalNetworks = true51assert.NoError(t, Init())52err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser)53assert.NoError(t, err)54old := setting.ImportLocalPaths56setting.ImportLocalPaths = false57err = IsMigrateURLAllowed("/home/foo/bar/goo", adminUser)59assert.Error(t, err)60setting.ImportLocalPaths = true62abs, err := filepath.Abs(".")63assert.NoError(t, err)64err = IsMigrateURLAllowed(abs, adminUser)66assert.NoError(t, err)67err = IsMigrateURLAllowed(abs, nonAdminUser)69assert.Error(t, err)70nonAdminUser.AllowImportLocal = true72err = IsMigrateURLAllowed(abs, nonAdminUser)73assert.NoError(t, err)74setting.ImportLocalPaths = old76}77func TestAllowBlockList(t *testing.T) {79init := func(allow, block string, local bool) {80setting.Migrations.AllowedDomains = allow81setting.Migrations.BlockedDomains = block82setting.Migrations.AllowLocalNetworks = local83assert.NoError(t, Init())84}85// default, allow all external, block none, no local networks87init("", "", false)88assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))89assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))90// allow all including local networks (it could lead to SSRF in production)92init("", "", true)93assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))94assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))95// allow wildcard, block some subdomains. if the domain name is allowed, then the local network check is skipped97init("*.domain.com", "blocked.domain.com", false)98assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))99assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("127.0.0.1")}))100assert.Error(t, checkByAllowBlockList("blocked.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))101assert.Error(t, checkByAllowBlockList("sub.other.com", []net.IP{net.ParseIP("1.2.3.4")}))102// allow wildcard (it could lead to SSRF in production)104init("*", "", false)105assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))106assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))107// local network can still be blocked109init("*", "127.0.0.*", false)110assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))111assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))112// reset114init("", "", false)115}116