Docker/forgejo
Docker/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-08-04 17:35:21 +02:00
Code Issues Releases Activity

test: prevent XSS for label rendering

Browse source
This commit is contained in:
Robert Wolff 2025-06-27 13:27:06 +02:00
parent 1b9ac27578
commit 76b3f4cd6a
3 changed files with 52 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

24
models/fixtures/label.yml
View file

@ -3,6 +3,7 @@
repo_id: 1 repo_id: 1
org_id: 0 org_id: 0
name: label1 name: label1
description: 'First label'
color: '#abcdef' color: '#abcdef'
exclusive: false exclusive: false
num_issues: 2 num_issues: 2
@ -107,3 +108,26 @@
num_issues: 0 num_issues: 0
num_closed_issues: 0 num_closed_issues: 0
archived_unix: 0 archived_unix: 0
-
id: 11
repo_id: 3
org_id: 0
name: " <script>malicious</script> /'?&"
description: "Malicious label ' <script>malicious</script>"
color: '#000000'
exclusive: true
num_issues: 0
num_closed_issues: 0
archived_unix: 0
-
id: 12
repo_id: 3
org_id: 0
name: 'archived label<>'
color: '#000000'
exclusive: false
num_issues: 0
num_closed_issues: 0
archived_unix: 2991092130

27
modules/templates/util_render_test.go
View file

@ -218,11 +218,30 @@ func TestRenderLabels(t *testing.T) {
tr := &translation.MockLocale{} tr := &translation.MockLocale{}
label := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 1}) label := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 1})
labelScoped := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 7})
labelMalicious := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 11})
labelArchived := unittest.AssertExistsAndLoadBean(t, &issues_model.Label{ID: 12})
assert.Contains(t, RenderLabels(db.DefaultContext, tr, []*issues_model.Label{label}, "user2/repo1", false), rendered := RenderLabels(db.DefaultContext, tr, []*issues_model.Label{label}, "user2/repo1", false)
"user2/repo1/issues?labels=1") assert.Contains(t, rendered, "user2/repo1/issues?labels=1")
assert.Contains(t, RenderLabels(db.DefaultContext, tr, []*issues_model.Label{label}, "user2/repo1", true), assert.Contains(t, rendered, ">label1<")
"user2/repo1/pulls?labels=1") assert.Contains(t, rendered, "title='First label'")
rendered = RenderLabels(db.DefaultContext, tr, []*issues_model.Label{label}, "user2/repo1", true)
assert.Contains(t, rendered, "user2/repo1/pulls?labels=1")
assert.Contains(t, rendered, ">label1<")
rendered = RenderLabels(db.DefaultContext, tr, []*issues_model.Label{labelScoped}, "user2/repo1", false)
assert.Contains(t, rendered, "user2/repo1/issues?labels=7")
assert.Contains(t, rendered, ">scope<")
assert.Contains(t, rendered, ">label1<")
rendered = RenderLabels(db.DefaultContext, tr, []*issues_model.Label{labelMalicious}, "user2/repo1", false)
assert.Contains(t, rendered, "user2/repo1/issues?labels=11")
assert.Contains(t, rendered, "> &lt;script&gt;malicious&lt;/script&gt; <")
assert.Contains(t, rendered, ">&#39;?&amp;<")
assert.Contains(t, rendered, "title='Malicious label &#39; &lt;script&gt;malicious&lt;/script&gt;'")
rendered = RenderLabels(db.DefaultContext, tr, []*issues_model.Label{labelArchived}, "user2/repo1", false)
assert.Contains(t, rendered, "user2/repo1/issues?labels=12")
assert.Contains(t, rendered, ">archived label&lt;&gt;<")
assert.Contains(t, rendered, "title='repo.issues.archived_label_description'")
} }
func TestRenderUser(t *testing.T) { func TestRenderUser(t *testing.T) {

1
services/convert/issue_test.go
View file

@ -27,6 +27,7 @@ func TestLabel_ToLabel(t *testing.T) {
ID: label.ID, ID: label.ID,
Name: label.Name, Name: label.Name,
Color: "abcdef", Color: "abcdef",
Description: label.Description,
URL: fmt.Sprintf("%sapi/v1/repos/user2/repo1/labels/%d", setting.AppURL, label.ID), URL: fmt.Sprintf("%sapi/v1/repos/user2/repo1/labels/%d", setting.AppURL, label.ID),
}, ToLabel(label, repo, nil)) }, ToLabel(label, repo, nil))
} }