neuron-technologies/gitea
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add test for "fetch redirect", add CSS value validation for external render (#37207)

Browse Source 
By the way, fix the checkAppUrl message for #37212
This commit is contained in:
wxiaoguang
2026-04-14 21:11:08 +08:00
committed by GitHub
parent 9327b1808e
commit 699eb41e7c
7 changed files with 105 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routers/common/redirect.go
+3 -2
View File
@@ -18,9 +18,10 @@ func FetchRedirectDelegate(resp http.ResponseWriter, req *http.Request) {
// then frontend needs this delegate to redirect to the new location with hash correctly.
redirect := req.FormValue("redirect")
if req.Method != http.MethodPost || !httplib.IsCurrentGiteaSiteURL(req.Context(), redirect) {
resp.WriteHeader(http.StatusBadRequest)
http.Error(resp, "Bad Request", http.StatusBadRequest)
return
}
resp.Header().Add("Location", redirect)
// no OpenRedirect, the "redirect" is validated by "IsCurrentGiteaSiteURL" above
resp.Header().Set("Location", redirect)
resp.WriteHeader(http.StatusSeeOther)
}
routers/common/redirect_test.go
+48
View File
@@ -0,0 +1,48 @@
// Copyright 2026 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package common
import (
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/test"
"github.com/stretchr/testify/assert"
)
func TestFetchRedirectDelegate(t *testing.T) {
defer test.MockVariableValue(&setting.AppURL, "https://gitea/")()
cases := []struct {
method string
input string
status int
}{
{method: "POST", input: "/foo?k=v", status: http.StatusSeeOther},
{method: "GET", input: "/foo?k=v", status: http.StatusBadRequest},
{method: "POST", input: `\/foo?k=v`, status: http.StatusBadRequest},
{method: "POST", input: `\\/foo?k=v`, status: http.StatusBadRequest},
{method: "POST", input: "https://gitea/xxx", status: http.StatusSeeOther},
{method: "POST", input: "https://other/xxx", status: http.StatusBadRequest},
}
for _, c := range cases {
t.Run(c.method+" "+c.input, func(t *testing.T) {
resp := httptest.NewRecorder()
req := httptest.NewRequest(c.method, "/?redirect="+url.QueryEscape(c.input), nil)
FetchRedirectDelegate(resp, req)
assert.Equal(t, c.status, resp.Code)
if c.status == http.StatusSeeOther {
assert.Equal(t, c.input, resp.Header().Get("Location"))
} else {
assert.Empty(t, resp.Header().Get("Location"))
assert.Equal(t, "Bad Request", strings.TrimSpace(resp.Body.String()))
}
})
}
}