# HG changeset patch # User Mads Kiilerich # Date 1527589542 -7200 # Node ID 552170092d06ea6250280771412b80efccca115f # Parent caa482f8fb5ff8aba718dda796526e6a4c8314df tests: introduce API test coverage for some invalid repo names - especially repo names that would need escaping to prevent XSS diff -r caa482f8fb5f -r 552170092d06 kallithea/tests/api/api_base.py --- a/kallithea/tests/api/api_base.py Tue May 29 12:25:41 2018 +0200 +++ b/kallithea/tests/api/api_base.py Tue May 29 12:25:42 2018 +0200 @@ -1045,8 +1045,39 @@ self._compare_ok(id_, expected, given=response.body) fixture.destroy_repo(repo_name) + @parametrize('repo_name', [ + u'', + u'.', + u'..', + u':', + u'/', + u'', + ]) + def test_api_create_repo_bad_names(self, repo_name): + id_, params = _build_data(self.apikey, 'create_repo', + repo_name=repo_name, + owner=TEST_USER_ADMIN_LOGIN, + repo_type=self.REPO_TYPE, + ) + response = api_call(self, params) + if repo_name == '/': + expected = "repo group `` not found" + self._compare_error(id_, expected, given=response.body) + elif repo_name in [':', '']: + # FIXME: special characters and XSS injection should not be allowed + expected = { + 'msg': 'Created new repository `%s`' % repo_name, + 'success': True, + 'task': None, + } + self._compare_ok(id_, expected, given=response.body) + else: + expected = "failed to create repository `%s`" % repo_name + self._compare_error(id_, expected, given=response.body) + fixture.destroy_repo(repo_name) + def test_api_create_repo_clone_uri_local(self): - # cloning from local repo was a mis-feature - it would bypass access control + # cloning from local repos was a mis-feature - it would bypass access control # TODO: introduce other test coverage of actual remote cloning clone_uri = os.path.join(TESTS_TMP_PATH, self.REPO) repo_name = u'api-repo'