chore: remove illegal git usage (#6501)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6501 Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2025-01-20 16:50:28 -05:00 · 2025-01-09 07:44:06 +00:00 · 2025-01-09 07:44:06 +00:00 · b6b79892c9
commit b6b79892c9
parent 9651e9d002 1c825edb1a
7 changed files with 44 additions and 67 deletions
--- a/routers/web/repo/wiki_test.go
+++ b/routers/web/repo/wiki_test.go
@ -86,7 +86,7 @@ func TestWiki(t *testing.T) {
 	Wiki(ctx)
 	assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
 	assert.EqualValues(t, "Home", ctx.Data["Title"])
-	assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"])
+	assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
 }

 func TestWikiPages(t *testing.T) {
@ -96,7 +96,7 @@ func TestWikiPages(t *testing.T) {
 	contexttest.LoadRepo(t, ctx, 1)
 	WikiPages(ctx)
 	assert.EqualValues(t, http.StatusOK, ctx.Resp.Status())
-	assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File"}, ctx.Data["Pages"])
+	assertPagesMetas(t, []string{"Home", "Page With Image", "Page With Spaced Name", "Unescaped File", "XSS"}, ctx.Data["Pages"])
 }

 func TestNewWiki(t *testing.T) {
--- a/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/33/d12aaaf988976c9dbd0fed80107d34a3b7c333
+++ b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/33/d12aaaf988976c9dbd0fed80107d34a3b7c333
--- a/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/a6/dc41d9e96df65286a79f5625ec51635e47f752
+++ b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/a6/dc41d9e96df65286a79f5625ec51635e47f752
--- a/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/f5/2e5fe33420747668efc24fc03d44145db864bb
+++ b/tests/gitea-repositories-meta/user2/repo1.wiki.git/objects/f5/2e5fe33420747668efc24fc03d44145db864bb
--- a/tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master
+++ b/tests/gitea-repositories-meta/user2/repo1.wiki.git/refs/heads/master
@ -1 +1 @@
-0dca5bd9b5d7ef937710e056f575e86c0184ba85
+33d12aaaf988976c9dbd0fed80107d34a3b7c333
--- a/tests/integration/api_wiki_test.go
+++ b/tests/integration/api_wiki_test.go
@ -198,6 +198,29 @@ func TestAPIListWikiPages(t *testing.T) {
 				Message: "add unescaped file\n",
 			},
 		},
+		{
+			Title:   "XSS",
+			HTMLURL: meta[4].HTMLURL,
+			SubURL:  "XSS",
+			LastCommit: &api.WikiCommit{
+				ID: "33d12aaaf988976c9dbd0fed80107d34a3b7c333",
+				Author: &api.CommitUser{
+					Identity: api.Identity{
+						Name:  "Gusted<script class=\"evil\">alert('Oh no!');</script>",
+						Email: "valid@example.org",
+					},
+					Date: "2024-01-31T00:00:00Z",
+				},
+				Committer: &api.CommitUser{
+					Identity: api.Identity{
+						Name:  "Gusted<script class=\"evil\">alert('Oh no!');</script>",
+						Email: "valid@example.org",
+					},
+					Date: "2024-01-31T00:00:00Z",
+				},
+				Message: "Yay XSS",
+			},
+		},
 	}

 	assert.Equal(t, dummymeta, meta)
--- a/tests/integration/xss_test.go
+++ b/tests/integration/xss_test.go
@ -4,25 +4,16 @@
 package integration

 import (
-	"context"
 	"fmt"
 	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
 	"testing"
-	"time"

 	issues_model "code.gitea.io/gitea/models/issues"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/tests"

-	gogit "github.com/go-git/go-git/v5"
-	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestXSSUserFullName(t *testing.T) {
@ -50,67 +41,30 @@ func TestXSSUserFullName(t *testing.T) {
 }

 func TestXSSWikiLastCommitInfo(t *testing.T) {
-	onGiteaRun(t, func(t *testing.T, u *url.URL) {
-		// Prepare the environment.
-		dstPath := t.TempDir()
-		r := fmt.Sprintf("%suser2/repo1.wiki.git", u.String())
-		u, err := url.Parse(r)
-		require.NoError(t, err)
-		u.User = url.UserPassword("user2", userPassword)
-		require.NoError(t, git.CloneWithArgs(context.Background(), git.AllowLFSFiltersArgs(), u.String(), dstPath, git.CloneRepoOptions{}))
+	defer tests.PrepareTestEnv(t)()

-		// Use go-git here, because using git wouldn't work, it has code to remove
-		// `<`, `>` and `\n` in user names. Even though this is permitted and
-		// wouldn't result in a error by a Git server.
-		gitRepo, err := gogit.PlainOpen(dstPath)
-		require.NoError(t, err)
+	// Check on page view.
+	t.Run("Page view", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()

-		w, err := gitRepo.Worktree()
-		require.NoError(t, err)
+		req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS")
+		resp := MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)

-		filename := filepath.Join(dstPath, "Home.md")
-		err = os.WriteFile(filename, []byte("Oh, a XSS attack?"), 0o644)
-		require.NoError(t, err)
+		htmlDoc.AssertElement(t, "script.evil", false)
+		assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
+	})

-		_, err = w.Add("Home.md")
-		require.NoError(t, err)
+	// Check on revisions page.
+	t.Run("Revision page", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()

-		_, err = w.Commit("Yay XSS", &gogit.CommitOptions{
-			Author: &object.Signature{
-				Name:  `Gusted<script class="evil">alert('Oh no!');</script>`,
-				Email: "valid@example.org",
-				When:  time.Date(2024, time.January, 31, 0, 0, 0, 0, time.UTC),
-			},
-		})
-		require.NoError(t, err)
+		req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/XSS?action=_revision")
+		resp := MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)

-		// Push.
-		_, _, err = git.NewCommand(git.DefaultContext, "push").AddArguments(git.ToTrustedCmdArgs([]string{"origin", "master"})...).RunStdString(&git.RunOpts{Dir: dstPath})
-		require.NoError(t, err)
-
-		// Check on page view.
-		t.Run("Page view", func(t *testing.T) {
-			defer tests.PrintCurrentTest(t)()
-
-			req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home")
-			resp := MakeRequest(t, req, http.StatusOK)
-			htmlDoc := NewHTMLParser(t, resp.Body)
-
-			htmlDoc.AssertElement(t, "script.evil", false)
-			assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
-		})
-
-		// Check on revisions page.
-		t.Run("Revision page", func(t *testing.T) {
-			defer tests.PrintCurrentTest(t)()
-
-			req := NewRequest(t, http.MethodGet, "/user2/repo1/wiki/Home?action=_revision")
-			resp := MakeRequest(t, req, http.StatusOK)
-			htmlDoc := NewHTMLParser(t, resp.Body)
-
-			htmlDoc.AssertElement(t, "script.evil", false)
-			assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
-		})
+		htmlDoc.AssertElement(t, "script.evil", false)
+		assert.Contains(t, htmlDoc.Find(".ui.sub.header").Text(), `Gusted<script class="evil">alert('Oh no!');</script> edited this page 2024-01-31`)
 	})
 }