2009-11-07 16:13:28 +01:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# Copyright (c) 2009 Mark Rada
|
|
|
|
#
|
|
|
|
|
|
|
|
test_description='gitweb as standalone script (parsing script output).
|
|
|
|
|
|
|
|
This test runs gitweb (git web interface) as a CGI script from the
|
|
|
|
commandline, and checks that it produces the correct output, either
|
|
|
|
in the HTTP header or the actual script output.'
|
|
|
|
|
|
|
|
|
2020-11-19 00:44:43 +01:00
|
|
|
GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
|
tests: mark tests relying on the current default for `init.defaultBranch`
In addition to the manual adjustment to let the `linux-gcc` CI job run
the test suite with `master` and then with `main`, this patch makes sure
that GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME is set in all test scripts
that currently rely on the initial branch name being `master by default.
To determine which test scripts to mark up, the first step was to
force-set the default branch name to `master` in
- all test scripts that contain the keyword `master`,
- t4211, which expects `t/t4211/history.export` with a hard-coded ref to
initialize the default branch,
- t5560 because it sources `t/t556x_common` which uses `master`,
- t8002 and t8012 because both source `t/annotate-tests.sh` which also
uses `master`)
This trick was performed by this command:
$ sed -i '/^ *\. \.\/\(test-lib\|lib-\(bash\|cvs\|git-svn\)\|gitweb-lib\)\.sh$/i\
GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=master\
export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME\
' $(git grep -l master t/t[0-9]*.sh) \
t/t4211*.sh t/t5560*.sh t/t8002*.sh t/t8012*.sh
After that, careful, manual inspection revealed that some of the test
scripts containing the needle `master` do not actually rely on a
specific default branch name: either they mention `master` only in a
comment, or they initialize that branch specificially, or they do not
actually refer to the current default branch. Therefore, the
aforementioned modification was undone in those test scripts thusly:
$ git checkout HEAD -- \
t/t0027-auto-crlf.sh t/t0060-path-utils.sh \
t/t1011-read-tree-sparse-checkout.sh \
t/t1305-config-include.sh t/t1309-early-config.sh \
t/t1402-check-ref-format.sh t/t1450-fsck.sh \
t/t2024-checkout-dwim.sh \
t/t2106-update-index-assume-unchanged.sh \
t/t3040-subprojects-basic.sh t/t3301-notes.sh \
t/t3308-notes-merge.sh t/t3423-rebase-reword.sh \
t/t3436-rebase-more-options.sh \
t/t4015-diff-whitespace.sh t/t4257-am-interactive.sh \
t/t5323-pack-redundant.sh t/t5401-update-hooks.sh \
t/t5511-refspec.sh t/t5526-fetch-submodules.sh \
t/t5529-push-errors.sh t/t5530-upload-pack-error.sh \
t/t5548-push-porcelain.sh \
t/t5552-skipping-fetch-negotiator.sh \
t/t5572-pull-submodule.sh t/t5608-clone-2gb.sh \
t/t5614-clone-submodules-shallow.sh \
t/t7508-status.sh t/t7606-merge-custom.sh \
t/t9302-fast-import-unpack-limit.sh
We excluded one set of test scripts in these commands, though: the range
of `git p4` tests. The reason? `git p4` stores the (foreign) remote
branch in the branch called `p4/master`, which is obviously not the
default branch. Manual analysis revealed that only five of these tests
actually require a specific default branch name to pass; They were
modified thusly:
$ sed -i '/^ *\. \.\/lib-git-p4\.sh$/i\
GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=master\
export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME\
' t/t980[0167]*.sh t/t9811*.sh
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-11-19 00:44:19 +01:00
|
|
|
export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
|
|
|
|
|
2021-02-09 22:41:53 +01:00
|
|
|
. ./lib-gitweb.sh
|
2009-11-07 16:13:28 +01:00
|
|
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# snapshot file name and prefix
|
|
|
|
|
|
|
|
cat >>gitweb_config.perl <<\EOF
|
|
|
|
|
|
|
|
$known_snapshot_formats{'tar'} = {
|
|
|
|
'display' => 'tar',
|
|
|
|
'type' => 'application/x-tar',
|
|
|
|
'suffix' => '.tar',
|
|
|
|
'format' => 'tar',
|
|
|
|
};
|
|
|
|
|
|
|
|
$feature{'snapshot'}{'default'} = ['tar'];
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Call check_snapshot with the arguments "<basename> [<prefix>]"
|
|
|
|
#
|
|
|
|
# This will check that gitweb HTTP header contains proposed filename
|
|
|
|
# as <basename> with '.tar' suffix added, and that generated tarfile
|
2022-03-08 16:56:11 +01:00
|
|
|
# (gitweb message body) has <prefix> as prefix for all files in tarfile
|
2009-11-07 16:13:28 +01:00
|
|
|
#
|
|
|
|
# <prefix> default to <basename>
|
|
|
|
check_snapshot () {
|
|
|
|
basename=$1
|
|
|
|
prefix=${2:-"$1"}
|
|
|
|
echo "basename=$basename"
|
|
|
|
grep "filename=.*$basename.tar" gitweb.headers >/dev/null 2>&1 &&
|
|
|
|
"$TAR" tf gitweb.body >file_list &&
|
2012-12-19 05:57:13 +01:00
|
|
|
! grep -v -e "^$prefix$" -e "^$prefix/" -e "^pax_global_header$" file_list
|
2009-11-07 16:13:28 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
test_expect_success setup '
|
|
|
|
test_commit first foo &&
|
|
|
|
git branch xx/test &&
|
|
|
|
FULL_ID=$(git rev-parse --verify HEAD) &&
|
|
|
|
SHORT_ID=$(git rev-parse --verify --short=7 HEAD)
|
|
|
|
'
|
|
|
|
test_debug '
|
|
|
|
echo "FULL_ID = $FULL_ID"
|
|
|
|
echo "SHORT_ID = $SHORT_ID"
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'snapshot: full sha1' '
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=$FULL_ID;sf=tar" &&
|
2009-11-07 16:13:29 +01:00
|
|
|
check_snapshot ".git-$SHORT_ID"
|
2009-11-07 16:13:28 +01:00
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
|
|
|
test_expect_success 'snapshot: shortened sha1' '
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=$SHORT_ID;sf=tar" &&
|
2009-11-07 16:13:29 +01:00
|
|
|
check_snapshot ".git-$SHORT_ID"
|
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
|
|
|
test_expect_success 'snapshot: almost full sha1' '
|
|
|
|
ID=$(git rev-parse --short=30 HEAD) &&
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=$ID;sf=tar" &&
|
|
|
|
check_snapshot ".git-$SHORT_ID"
|
2009-11-07 16:13:28 +01:00
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
|
|
|
test_expect_success 'snapshot: HEAD' '
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=HEAD;sf=tar" &&
|
2009-11-07 16:13:29 +01:00
|
|
|
check_snapshot ".git-HEAD-$SHORT_ID"
|
2009-11-07 16:13:28 +01:00
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
2020-11-19 00:44:43 +01:00
|
|
|
test_expect_success 'snapshot: short branch name (main)' '
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=main;sf=tar" &&
|
|
|
|
ID=$(git rev-parse --verify --short=7 main) &&
|
|
|
|
check_snapshot ".git-main-$ID"
|
2009-11-07 16:13:29 +01:00
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
|
|
|
test_expect_success 'snapshot: short tag name (first)' '
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=first;sf=tar" &&
|
|
|
|
ID=$(git rev-parse --verify --short=7 first) &&
|
|
|
|
check_snapshot ".git-first-$ID"
|
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
2020-11-19 00:44:43 +01:00
|
|
|
test_expect_success 'snapshot: full branch name (refs/heads/main)' '
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=refs/heads/main;sf=tar" &&
|
|
|
|
ID=$(git rev-parse --verify --short=7 main) &&
|
|
|
|
check_snapshot ".git-main-$ID"
|
2009-11-07 16:13:29 +01:00
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
|
|
|
test_expect_success 'snapshot: full tag name (refs/tags/first)' '
|
|
|
|
gitweb_run "p=.git;a=snapshot;h=refs/tags/first;sf=tar" &&
|
|
|
|
check_snapshot ".git-first"
|
2009-11-07 16:13:28 +01:00
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers && cat file_list'
|
|
|
|
|
2009-11-07 16:13:29 +01:00
|
|
|
test_expect_success 'snapshot: hierarchical branch name (xx/test)' '
|
2009-11-07 16:13:28 +01:00
|
|
|
gitweb_run "p=.git;a=snapshot;h=xx/test;sf=tar" &&
|
|
|
|
! grep "filename=.*/" gitweb.headers
|
|
|
|
'
|
|
|
|
test_debug 'cat gitweb.headers'
|
|
|
|
|
2011-04-29 19:51:56 +02:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# forks of projects
|
|
|
|
|
|
|
|
test_expect_success 'forks: setup' '
|
|
|
|
git init --bare foo.git &&
|
|
|
|
echo file > file &&
|
|
|
|
git --git-dir=foo.git --work-tree=. add file &&
|
|
|
|
git --git-dir=foo.git --work-tree=. commit -m "Initial commit" &&
|
|
|
|
echo "foo" > foo.git/description &&
|
|
|
|
git clone --bare foo.git foo.bar.git &&
|
|
|
|
echo "foo.bar" > foo.bar.git/description &&
|
|
|
|
git clone --bare foo.git foo_baz.git &&
|
|
|
|
echo "foo_baz" > foo_baz.git/description &&
|
|
|
|
rm -fr foo &&
|
|
|
|
mkdir -p foo &&
|
|
|
|
(
|
|
|
|
cd foo &&
|
|
|
|
git clone --shared --bare ../foo.git foo-forked.git &&
|
|
|
|
echo "fork of foo" > foo-forked.git/description
|
|
|
|
)
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'forks: not skipped unless "forks" feature enabled' '
|
|
|
|
gitweb_run "a=project_list" &&
|
|
|
|
grep -q ">\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo_baz\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo\\.bar\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo_baz\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo/foo-forked\\.git<" gitweb.body &&
|
|
|
|
grep -q ">fork of .*<" gitweb.body
|
|
|
|
'
|
|
|
|
|
2015-03-20 11:13:01 +01:00
|
|
|
test_expect_success 'enable forks feature' '
|
|
|
|
cat >>gitweb_config.perl <<-\EOF
|
|
|
|
$feature{"forks"}{"default"} = [1];
|
|
|
|
EOF
|
|
|
|
'
|
2011-04-29 19:51:56 +02:00
|
|
|
|
|
|
|
test_expect_success 'forks: forks skipped if "forks" feature enabled' '
|
|
|
|
gitweb_run "a=project_list" &&
|
|
|
|
grep -q ">\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo_baz\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo\\.bar\\.git<" gitweb.body &&
|
|
|
|
grep -q ">foo_baz\\.git<" gitweb.body &&
|
|
|
|
grep -v ">foo/foo-forked\\.git<" gitweb.body &&
|
|
|
|
grep -v ">fork of .*<" gitweb.body
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'forks: "forks" action for forked repository' '
|
|
|
|
gitweb_run "p=foo.git;a=forks" &&
|
|
|
|
grep -q ">foo/foo-forked\\.git<" gitweb.body &&
|
|
|
|
grep -q ">fork of foo<" gitweb.body
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'forks: can access forked repository' '
|
|
|
|
gitweb_run "p=foo/foo-forked.git;a=summary" &&
|
|
|
|
grep -q "200 OK" gitweb.headers &&
|
|
|
|
grep -q ">fork of foo<" gitweb.body
|
|
|
|
'
|
|
|
|
|
|
|
|
test_expect_success 'forks: project_index lists all projects (incl. forks)' '
|
2015-03-20 11:13:01 +01:00
|
|
|
cat >expected <<-\EOF &&
|
2011-04-29 19:51:56 +02:00
|
|
|
.git
|
|
|
|
foo.bar.git
|
|
|
|
foo.git
|
|
|
|
foo/foo-forked.git
|
|
|
|
foo_baz.git
|
|
|
|
EOF
|
|
|
|
gitweb_run "a=project_index" &&
|
|
|
|
sed -e "s/ .*//" <gitweb.body | sort >actual &&
|
|
|
|
test_cmp expected actual
|
|
|
|
'
|
|
|
|
|
2012-11-12 22:34:28 +01:00
|
|
|
xss() {
|
2019-11-15 10:05:56 +01:00
|
|
|
echo >&2 "Checking $*..." &&
|
|
|
|
gitweb_run "$@" &&
|
2012-11-12 22:34:28 +01:00
|
|
|
if grep "$TAG" gitweb.body; then
|
|
|
|
echo >&2 "xss: $TAG should have been quoted in output"
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
test_expect_success 'xss checks' '
|
|
|
|
TAG="<magic-xss-tag>" &&
|
|
|
|
xss "a=rss&p=$TAG" &&
|
gitweb: escape URLs generated by href()
There's a cross-site scripting problem in gitweb, where it will print
URLs generated by its href() helper without further quoting. This allows
an attacker to point a victim to a specially crafted gitweb URL and
inject arbitrary HTML into the resulting page (which the victim sees as
coming from gitweb).
The base of the URL comes from evaluate_uri(), which pulls the value of
$REQUEST_URI via the CGI module. It tries to strip off $PATH_INFO, but
fails to do so in some cases (including ones that contain special
characters, like "+"). Most of the uses of the URL end up being passed
to "$cgi->a(-href = href())", which will get quoted properly by the CGI
module. But in a few places, we output them ourselves as part of
manually-generated HTML, and whatever was in the original URL will
appear unquoted in the output.
Given that all of the nearby variables placed into this manual HTML
_are_ quoted, it seems like the authors assumed that these URLs would
not need quoting. So it's possible that the bug is actually in
evaluate_uri(), which should be doing a more careful job of stripping
$PATH_INFO. There's some discussion in a comment in that function, as
well as the commit message in 81d3fe9f48 (gitweb: fix wrong base URL
when non-root DirectoryIndex, 2009-02-15). But I'm not sure I understand
it.
Regardless, it's a good idea to quote these values at the point of
insertion into the HTML output:
1. Even if there is a bug in evaluate_uri(), this would give us
belt-and-suspenders protection.
2. evaluate_uri() is only handling the base. Some generated URLs will
also mention arbitrary refs or filenames in the repositories, and
these should be quoted anyway.
3. It should never _hurt_ to quote (and that's what all of the
$cgi->a() calls are doing already).
So there may be further work here, but this patch at least prevents the
XSS vulnerability, and shouldn't make anything worse.
The test here covers the calls in print_feed_meta(), but I manually
audited every call to href() to see how its output was used, and quoted
appropriately. Most of them are esc_attr(), as they're used in tag
attributes, but I used esc_html() when the URLs were printed bare. The
distinction is largely academic, as one is implemented as a wrapper for
the other.
Reported-by: NAKAYAMA DAISUKE <nakyamad@icloud.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-11-15 10:06:07 +01:00
|
|
|
xss "a=rss&p=foo.git&f=$TAG" &&
|
|
|
|
xss "" "$TAG+"
|
2012-11-12 22:34:28 +01:00
|
|
|
'
|
2011-04-29 19:51:56 +02:00
|
|
|
|
2022-03-08 16:56:12 +01:00
|
|
|
no_http_equiv_content_type() {
|
|
|
|
gitweb_run "$@" &&
|
|
|
|
! grep -E "http-equiv=['\"]?content-type" gitweb.body
|
|
|
|
}
|
|
|
|
|
|
|
|
# See: <https://html.spec.whatwg.org/dev/semantics.html#attr-meta-http-equiv-content-type>
|
|
|
|
test_expect_success 'no http-equiv="content-type" in XHTML' '
|
|
|
|
no_http_equiv_content_type &&
|
|
|
|
no_http_equiv_content_type "p=.git" &&
|
|
|
|
no_http_equiv_content_type "p=.git;a=log" &&
|
|
|
|
no_http_equiv_content_type "p=.git;a=tree"
|
|
|
|
'
|
|
|
|
|
2009-11-07 16:13:28 +01:00
|
|
|
test_done
|