code.gitea.io/gitea@v1.22.3/services/migrations/migrate_test.go (about) 1 // Copyright 2019 The Gitea Authors. All rights reserved. 2 // SPDX-License-Identifier: MIT 3 4 package migrations 5 6 import ( 7 "net" 8 "path/filepath" 9 "testing" 10 11 "code.gitea.io/gitea/models/unittest" 12 user_model "code.gitea.io/gitea/models/user" 13 "code.gitea.io/gitea/modules/setting" 14 15 "github.com/stretchr/testify/assert" 16 ) 17 18 func TestMigrateWhiteBlocklist(t *testing.T) { 19 assert.NoError(t, unittest.PrepareTestDatabase()) 20 21 adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"}) 22 nonAdminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"}) 23 24 setting.Migrations.AllowedDomains = "github.com" 25 setting.Migrations.AllowLocalNetworks = false 26 assert.NoError(t, Init()) 27 28 err := IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser) 29 assert.Error(t, err) 30 31 err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser) 32 assert.NoError(t, err) 33 34 err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser) 35 assert.NoError(t, err) 36 37 setting.Migrations.AllowedDomains = "" 38 setting.Migrations.BlockedDomains = "github.com" 39 assert.NoError(t, Init()) 40 41 err = IsMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git", nonAdminUser) 42 assert.NoError(t, err) 43 44 err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser) 45 assert.Error(t, err) 46 47 err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser) 48 assert.Error(t, err) 49 50 setting.Migrations.AllowLocalNetworks = true 51 assert.NoError(t, Init()) 52 err = IsMigrateURLAllowed("https://10.0.0.1/go-gitea/gitea.git", nonAdminUser) 53 assert.NoError(t, err) 54 55 old := setting.ImportLocalPaths 56 setting.ImportLocalPaths = false 57 58 err = IsMigrateURLAllowed("/home/foo/bar/goo", adminUser) 59 assert.Error(t, err) 60 61 setting.ImportLocalPaths = true 62 abs, err := filepath.Abs(".") 63 assert.NoError(t, err) 64 65 err = IsMigrateURLAllowed(abs, adminUser) 66 assert.NoError(t, err) 67 68 err = IsMigrateURLAllowed(abs, nonAdminUser) 69 assert.Error(t, err) 70 71 nonAdminUser.AllowImportLocal = true 72 err = IsMigrateURLAllowed(abs, nonAdminUser) 73 assert.NoError(t, err) 74 75 setting.ImportLocalPaths = old 76 } 77 78 func TestAllowBlockList(t *testing.T) { 79 init := func(allow, block string, local bool) { 80 setting.Migrations.AllowedDomains = allow 81 setting.Migrations.BlockedDomains = block 82 setting.Migrations.AllowLocalNetworks = local 83 assert.NoError(t, Init()) 84 } 85 86 // default, allow all external, block none, no local networks 87 init("", "", false) 88 assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")})) 89 assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")})) 90 91 // allow all including local networks (it could lead to SSRF in production) 92 init("", "", true) 93 assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")})) 94 assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")})) 95 96 // allow wildcard, block some subdomains. if the domain name is allowed, then the local network check is skipped 97 init("*.domain.com", "blocked.domain.com", false) 98 assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("1.2.3.4")})) 99 assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("127.0.0.1")})) 100 assert.Error(t, checkByAllowBlockList("blocked.domain.com", []net.IP{net.ParseIP("1.2.3.4")})) 101 assert.Error(t, checkByAllowBlockList("sub.other.com", []net.IP{net.ParseIP("1.2.3.4")})) 102 103 // allow wildcard (it could lead to SSRF in production) 104 init("*", "", false) 105 assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")})) 106 assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")})) 107 108 // local network can still be blocked 109 init("*", "127.0.0.*", false) 110 assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")})) 111 assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")})) 112 113 // reset 114 init("", "", false) 115 }