mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-15 20:25:18 +02:00
0eba0e371f
**Unvalidated version in goproxy ParsePackage** The module version is read straight from the zip directory path and never checked, so a crafted upload can leave a newline in it; `EnumeratePackageVersions` then writes each stored version on its own line for the `@v/list` endpoint, letting a module advertise fabricated versions to `go` clients. Validated the parsed version with `semver.IsValid` inside the parser, matching the version checks the other package parsers already do. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
86 lines
2.2 KiB
Go
86 lines
2.2 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package goproxy
|
|
|
|
import (
|
|
"archive/zip"
|
|
"bytes"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
const (
|
|
packageName = "gitea.com/go-gitea/gitea"
|
|
packageVersion = "v0.0.1"
|
|
)
|
|
|
|
func TestParsePackage(t *testing.T) {
|
|
createArchive := func(files map[string][]byte) *bytes.Reader {
|
|
var buf bytes.Buffer
|
|
zw := zip.NewWriter(&buf)
|
|
for name, content := range files {
|
|
w, _ := zw.Create(name)
|
|
w.Write(content)
|
|
}
|
|
zw.Close()
|
|
return bytes.NewReader(buf.Bytes())
|
|
}
|
|
|
|
t.Run("EmptyPackage", func(t *testing.T) {
|
|
data := createArchive(nil)
|
|
|
|
p, err := ParsePackage(data, int64(data.Len()))
|
|
assert.Nil(t, p)
|
|
assert.ErrorIs(t, err, ErrInvalidStructure)
|
|
})
|
|
|
|
t.Run("InvalidNameOrVersionStructure", func(t *testing.T) {
|
|
data := createArchive(map[string][]byte{
|
|
packageName + "/" + packageVersion + "/go.mod": {},
|
|
})
|
|
|
|
p, err := ParsePackage(data, int64(data.Len()))
|
|
assert.Nil(t, p)
|
|
assert.ErrorIs(t, err, ErrInvalidStructure)
|
|
})
|
|
|
|
t.Run("GoModFileInWrongDirectory", func(t *testing.T) {
|
|
data := createArchive(map[string][]byte{
|
|
packageName + "@" + packageVersion + "/subdir/go.mod": {},
|
|
})
|
|
|
|
p, err := ParsePackage(data, int64(data.Len()))
|
|
assert.NotNil(t, p)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, packageName, p.Name)
|
|
assert.Equal(t, packageVersion, p.Version)
|
|
assert.Equal(t, "module gitea.com/go-gitea/gitea", p.GoMod)
|
|
})
|
|
|
|
t.Run("InvalidVersion", func(t *testing.T) {
|
|
data := createArchive(map[string][]byte{
|
|
packageName + "@v1.0.0\nv99.0.0/go.mod": []byte("module " + packageName),
|
|
})
|
|
|
|
p, err := ParsePackage(data, int64(data.Len()))
|
|
assert.Nil(t, p)
|
|
assert.ErrorIs(t, err, ErrInvalidVersion)
|
|
})
|
|
|
|
t.Run("Valid", func(t *testing.T) {
|
|
data := createArchive(map[string][]byte{
|
|
packageName + "@" + packageVersion + "/subdir/go.mod": []byte("invalid"),
|
|
packageName + "@" + packageVersion + "/go.mod": []byte("valid"),
|
|
})
|
|
|
|
p, err := ParsePackage(data, int64(data.Len()))
|
|
assert.NotNil(t, p)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, packageName, p.Name)
|
|
assert.Equal(t, packageVersion, p.Version)
|
|
assert.Equal(t, "valid", p.GoMod)
|
|
})
|
|
}
|