Files
gitea/tests/integration/feed_user_test.go
T
f69e15afe7 fix: various security fixes (#38406)
Addresses a batch of privately reported security issues, grouped by
area:

- **SSRF** - migration PR-patch/asset fetches, OAuth2 avatar & OpenID
discovery, pull-mirror URL re-validation, and the outbound proxy path.
- **Access-token scope** - prevent scope escalation on token creation;
keep public-only tokens confined (feeds, packages, Actions listings,
star/watch lists, limited/private owners).
- **Access control / disclosure** - go-get default-branch leak, webhook
authorization-header leak, watch clearing on private transitions,
label/attachment scoping.
- **Denial of service** - input bounds for npm dist-tags, Debian control
files, Arch file lists, and SSH keys.

### 📌 Attention for site admins

Not breaking - existing configs keep working - but two changes are worth
a look:

- **New SSRF protection** Outbound requests (migrations, OAuth2 avatars,
OpenID discovery, pull mirrors, proxy path) are now validated against
the allow/block host lists. If your instance legitimately reaches
internal hosts, you may need to add them to
`[security].ALLOWED_HOST_LIST` (and the relevant `ALLOW_LOCALNETWORKS`
settings).
- **Deprecation** `[webhook].ALLOWED_HOST_LIST` is deprecated and will
be removed in a future release. Use `[security].ALLOWED_HOST_LIST`
instead; the old key still works for now.

---------

Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
2026-07-12 17:14:09 +00:00

110 lines
3.8 KiB
Go

// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
import (
"encoding/xml"
"net/http"
"testing"
auth_model "gitea.dev/models/auth"
"gitea.dev/tests"
"github.com/stretchr/testify/assert"
)
// RSS is a struct to unmarshal RSS feeds test only
type RSS struct {
Channel struct {
Title string `xml:"title"`
Link string `xml:"link"`
Description string `xml:"description"`
PubDate string `xml:"pubDate"`
Items []struct {
Title string `xml:"title"`
Link string `xml:"link"`
Description string `xml:"description"`
PubDate string `xml:"pubDate"`
} `xml:"item"`
} `xml:"channel"`
}
func TestFeedUser(t *testing.T) {
t.Run("User", func(t *testing.T) {
t.Run("Atom", func(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/user2.atom")
resp := MakeRequest(t, req, http.StatusOK)
data := resp.Body.String()
assert.Contains(t, data, `<feed xmlns="http://www.w3.org/2005/Atom"`)
})
t.Run("RSS", func(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/user2.rss")
resp := MakeRequest(t, req, http.StatusOK)
data := resp.Body.String()
assert.Contains(t, data, `<rss version="2.0"`)
var rss RSS
err := xml.Unmarshal(resp.Body.Bytes(), &rss)
assert.NoError(t, err)
assert.Contains(t, rss.Channel.Link, "/user2")
assert.NotEmpty(t, rss.Channel.PubDate)
})
})
}
// TestFeedUserPublicOnlyToken ensures a public-only API token cannot surface a user's
// private activity through their profile feed, even when authenticated as the owner.
func TestFeedUserPublicOnlyToken(t *testing.T) {
defer tests.PrepareTestEnv(t)()
// user2 has activity on the private repo user2/repo2
const privateMarker = "user2/repo2"
// a normal read:user token authenticated as the owner sees private activity
fullToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser)
reqFull := NewRequest(t, "GET", "/user2.rss")
reqFull.SetBasicAuth("user2", fullToken)
respFull := MakeRequest(t, reqFull, http.StatusOK)
assert.Contains(t, respFull.Body.String(), privateMarker)
// a public-only token must not surface the private activity
publicOnlyToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopePublicOnly)
reqPublicOnly := NewRequest(t, "GET", "/user2.rss")
reqPublicOnly.SetBasicAuth("user2", publicOnlyToken)
respPublicOnly := MakeRequest(t, reqPublicOnly, http.StatusOK)
assert.NotContains(t, respPublicOnly.Body.String(), privateMarker)
}
// TestProfileActivityPublicOnlyToken ensures the HTML profile activity tab does not
// surface a user's private activity to a public-only API token, mirroring the RSS/Atom
// guard. The /{username} route is AllowBasic, so a public-only PAT used as the Basic
// password must still be downgraded even for the feed owner.
func TestProfileActivityPublicOnlyToken(t *testing.T) {
defer tests.PrepareTestEnv(t)()
// user2 has activity on the private repo user2/repo2
const privateMarker = "user2/repo2"
// a normal read:user token authenticated as the owner sees private activity
fullToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser)
reqFull := NewRequest(t, "GET", "/user2?tab=activity")
reqFull.SetBasicAuth("user2", fullToken)
respFull := MakeRequest(t, reqFull, http.StatusOK)
assert.Contains(t, respFull.Body.String(), privateMarker)
// a public-only token must not surface the private activity
publicOnlyToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopePublicOnly)
reqPublicOnly := NewRequest(t, "GET", "/user2?tab=activity")
reqPublicOnly.SetBasicAuth("user2", publicOnlyToken)
respPublicOnly := MakeRequest(t, reqPublicOnly, http.StatusOK)
assert.NotContains(t, respPublicOnly.Body.String(), privateMarker)
}