fix(sec): Forgejo Actions web routes (#6844)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6844 Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2025-08-01 17:38:33 +00:00 · 2025-02-08 09:16:23 +00:00 · 2025-02-08 09:16:23 +00:00 · b44b5fa63e
commit b44b5fa63e
parent 19f3639121 caeb95cb10
16 changed files with 396 additions and 42 deletions
--- a/tests/integration/actions_variables_test.go
+++ b/tests/integration/actions_variables_test.go
@ -0,0 +1,150 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	forgejo_context "code.gitea.io/gitea/services/context"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionVariablesModification(t *testing.T) {
+	defer tests.AddFixtures("tests/integration/fixtures/TestActionVariablesModification")()
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	userVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1001, OwnerID: user.ID})
+	userURL := "/user/settings/actions/variables"
+	org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3, Type: user_model.UserTypeOrganization})
+	orgVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1002, OwnerID: org.ID})
+	orgURL := "/org/" + org.Name + "/settings/actions/variables"
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user.ID})
+	repoVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1003, RepoID: repo.ID})
+	repoURL := "/" + repo.FullName() + "/settings/actions/variables"
+	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{IsAdmin: true})
+	globalVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1004}, "owner_id = 0 AND repo_id = 0")
+	adminURL := "/admin/actions/variables"
+
+	adminSess := loginUser(t, admin.Name)
+	adminCSRF := GetCSRF(t, adminSess, "/")
+	sess := loginUser(t, user.Name)
+	csrf := GetCSRF(t, sess, "/")
+
+	type errorJSON struct {
+		Error string `json:"errorMessage"`
+	}
+
+	test := func(t *testing.T, fail bool, baseURL string, id int64) {
+		defer tests.PrintCurrentTest(t, 1)()
+		t.Helper()
+
+		sess := sess
+		csrf := csrf
+		if baseURL == adminURL {
+			sess = adminSess
+			csrf = adminCSRF
+		}
+
+		req := NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/edit", id), map[string]string{
+			"_csrf": csrf,
+			"name":  "glados_quote",
+			"data":  "I'm fine. Two plus two is...ten, in base four, I'm fine!",
+		})
+		if fail {
+			resp := sess.MakeRequest(t, req, http.StatusBadRequest)
+			var error errorJSON
+			DecodeJSON(t, resp, &error)
+			assert.EqualValues(t, "Failed to find the variable.", error.Error)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DThe%2Bvariable%2Bhas%2Bbeen%2Bedited.", flashCookie.Value)
+		}
+
+		req = NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/delete", id), map[string]string{
+			"_csrf": csrf,
+		})
+		if fail {
+			resp := sess.MakeRequest(t, req, http.StatusBadRequest)
+			var error errorJSON
+			DecodeJSON(t, resp, &error)
+			assert.EqualValues(t, "Failed to find the variable.", error.Error)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DThe%2Bvariable%2Bhas%2Bbeen%2Bremoved.", flashCookie.Value)
+		}
+	}
+
+	t.Run("User variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, userVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, userVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, false, userURL, userVariable.ID)
+		})
+	})
+
+	t.Run("Organisation variable", func(t *testing.T) {
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, orgVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, orgVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, false, orgURL, orgVariable.ID)
+		})
+	})
+
+	t.Run("Repository variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, repoVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, repoVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, false, repoURL, repoVariable.ID)
+		})
+	})
+
+	t.Run("Global variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, globalVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, globalVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, globalVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, false, adminURL, globalVariable.ID)
+		})
+	})
+}
--- a/tests/integration/fixtures/TestActionVariablesModification/action_variable.yml
+++ b/tests/integration/fixtures/TestActionVariablesModification/action_variable.yml
@ -0,0 +1,31 @@
+-
+  id: 1001
+  name: GLADOS_QUOTE
+  owner_id: 2
+  repo_id: 0
+  data: ""
+  created_unix: 1737000000
+
+-
+  id: 1002
+  name: GLADOS_QUOTE
+  owner_id: 3
+  repo_id: 0
+  data: ""
+  created_unix: 1737000001
+
+-
+  id: 1003
+  name: GLADOS_QUOTE
+  owner_id: 0
+  repo_id: 1
+  data: ""
+  created_unix: 1737000002
+
+-
+  id: 1004
+  name: GLADOS_QUOTE
+  owner_id: 0
+  repo_id: 0
+  data: ""
+  created_unix: 1737000003
--- a/tests/integration/fixtures/TestRunnerModification/action_runner.yml
+++ b/tests/integration/fixtures/TestRunnerModification/action_runner.yml
@ -0,0 +1,31 @@
+-
+  id: 1001
+  uuid: "43b5d4d3-401b-42f9-94df-a9d45b447b82"
+  name: "User runner"
+  owner_id: 2
+  repo_id: 0
+  deleted: 0
+
+-
+  id: 1002
+  uuid: "bdc77f4f-2b2b-442d-bd44-e808f4306347"
+  name: "Organisation runner"
+  owner_id: 3
+  repo_id: 0
+  deleted: 0
+
+-
+  id: 1003
+  uuid: "9268bc8c-efbf-4dbe-aeb5-945733cdd098"
+  name: "Repository runner"
+  owner_id: 0
+  repo_id: 1
+  deleted: 0
+
+-
+  id: 1004
+  uuid: "fb857e63-c0ce-4571-a6c9-fde26c128073"
+  name: "Global runner"
+  owner_id: 0
+  repo_id: 0
+  deleted: 0
--- a/tests/integration/runner_test.go
+++ b/tests/integration/runner_test.go
@ -0,0 +1,130 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	forgejo_context "code.gitea.io/gitea/services/context"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRunnerModification(t *testing.T) {
+	defer tests.AddFixtures("tests/integration/fixtures/TestRunnerModification")()
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	userRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1001, OwnerID: user.ID})
+	userURL := "/user/settings/actions/runners"
+	org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3, Type: user_model.UserTypeOrganization})
+	orgRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1002, OwnerID: org.ID})
+	orgURL := "/org/" + org.Name + "/settings/actions/runners"
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user.ID})
+	repoRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1003, RepoID: repo.ID})
+	repoURL := "/" + repo.FullName() + "/settings/actions/runners"
+	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{IsAdmin: true})
+	globalRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1004}, "owner_id = 0 AND repo_id = 0")
+	adminURL := "/admin/actions/runners"
+
+	adminSess := loginUser(t, admin.Name)
+	adminCSRF := GetCSRF(t, adminSess, "/")
+	sess := loginUser(t, user.Name)
+	csrf := GetCSRF(t, sess, "/")
+
+	test := func(t *testing.T, fail bool, baseURL string, id int64) {
+		defer tests.PrintCurrentTest(t, 1)()
+		t.Helper()
+
+		sess := sess
+		csrf := csrf
+		if baseURL == adminURL {
+			sess = adminSess
+			csrf = adminCSRF
+		}
+
+		req := NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d", id), map[string]string{
+			"_csrf":       csrf,
+			"description": "New Description",
+		})
+		if fail {
+			sess.MakeRequest(t, req, http.StatusNotFound)
+		} else {
+			sess.MakeRequest(t, req, http.StatusSeeOther)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DRunner%2Bupdated%2Bsuccessfully", flashCookie.Value)
+		}
+
+		req = NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/delete", id), map[string]string{
+			"_csrf": csrf,
+		})
+		if fail {
+			sess.MakeRequest(t, req, http.StatusNotFound)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DRunner%2Bdeleted%2Bsuccessfully", flashCookie.Value)
+		}
+	}
+
+	t.Run("User runner", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, userRunner.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, userRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, false, userURL, userRunner.ID)
+		})
+	})
+
+	t.Run("Organisation runner", func(t *testing.T) {
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, orgRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, orgRunner.ID)
+		})
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, false, orgURL, orgRunner.ID)
+		})
+	})
+
+	t.Run("Repository runner", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, repoRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, repoRunner.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, false, repoURL, repoRunner.ID)
+		})
+	})
+
+	t.Run("Global runner", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, globalRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, globalRunner.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, globalRunner.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, false, adminURL, globalRunner.ID)
+		})
+	})
+}