Mercurial > kallithea
changeset 7315:3fb7c1e059ed stable
tests: introduce API test coverage for some invalid repo names - especially repo names that would need escaping to prevent XSS
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Tue, 29 May 2018 12:25:42 +0200 |
| parents | 083fbf531a5d |
| children | 7d5e8894db6c |
| files | kallithea/tests/api/api_base.py |
| diffstat | 1 files changed, 31 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/tests/api/api_base.py Tue May 29 12:25:41 2018 +0200 +++ b/kallithea/tests/api/api_base.py Tue May 29 12:25:42 2018 +0200 @@ -998,6 +998,37 @@ self._compare_ok(id_, expected, given=response.body) fixture.destroy_repo(repo_name) + @parameterized.expand([ + (u'',), + (u'.',), + (u'..',), + (u':',), + (u'/',), + (u'<test>',), + ]) + def test_api_create_repo_bad_names(self, repo_name): + id_, params = _build_data(self.apikey, 'create_repo', + repo_name=repo_name, + owner=TEST_USER_ADMIN_LOGIN, + repo_type=self.REPO_TYPE, + ) + response = api_call(self, params) + if repo_name == '/': + expected = "repo group `` not found" + self._compare_error(id_, expected, given=response.body) + elif repo_name in [':', '<test>']: + # FIXME: special characters and XSS injection should not be allowed + expected = { + 'msg': 'Created new repository `%s`' % repo_name, + 'success': True, + 'task': None, + } + self._compare_ok(id_, expected, given=response.body) + else: + expected = "failed to create repository `%s`" % repo_name + self._compare_error(id_, expected, given=response.body) + fixture.destroy_repo(repo_name) + def test_api_create_repo_clone_uri_local(self): # cloning from local repo was a mis-feature - it would bypass access control # TODO: introduce other test coverage of actual remote cloning