From de6ef14d04c36272143ad822bf5903f84c7f238b Mon Sep 17 00:00:00 2001 From: mrsdizzie Date: Fri, 31 May 2019 05:21:15 -0400 Subject: [PATCH] Validate External Tracker URL Format (#7089) * Validate External Tracker URL Format Add some validation checks for external tracker URL format. Fixes #7068 * Don't make {index} a hard requirement * Fix Description * make fmt * move regex to package level * fix copyright date --- modules/validation/helpers.go | 19 +++++++++ modules/validation/helpers_test.go | 67 ++++++++++++++++++++++++++++++ routers/repo/setting.go | 2 +- 3 files changed, 87 insertions(+), 1 deletion(-) diff --git a/modules/validation/helpers.go b/modules/validation/helpers.go index 9a4dfab7a..c22e667a2 100644 --- a/modules/validation/helpers.go +++ b/modules/validation/helpers.go @@ -7,6 +7,7 @@ package validation import ( "net" "net/url" + "regexp" "strings" "code.gitea.io/gitea/modules/setting" @@ -14,6 +15,8 @@ import ( var loopbackIPBlocks []*net.IPNet +var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`) + func init() { for _, cidr := range []string{ "127.0.0.0/8", // IPv4 loopback @@ -75,3 +78,19 @@ func IsValidExternalURL(uri string) bool { return true } + +// IsValidExternalTrackerURLFormat checks if URL matches required syntax for external trackers +func IsValidExternalTrackerURLFormat(uri string) bool { + if !IsValidExternalURL(uri) { + return false + } + + // check for typoed variables like /{index/ or /[repo} + for _, match := range externalTrackerRegex.FindAllStringSubmatch(uri, -1) { + if (match[1] == "{" || match[2] == "}") && (match[1] != "{" || match[2] != "}") { + return false + } + } + + return true +} diff --git a/modules/validation/helpers_test.go b/modules/validation/helpers_test.go index 875625a02..9051ee1a0 100644 --- a/modules/validation/helpers_test.go +++ b/modules/validation/helpers_test.go @@ -88,3 +88,70 @@ func Test_IsValidExternalURL(t *testing.T) { }) } } + +func Test_IsValidExternalTrackerURLFormat(t *testing.T) { + setting.AppURL = "https://try.gitea.io/" + + cases := []struct { + description string + url string + valid bool + }{ + { + description: "Correct external tracker URL with all placeholders", + url: "https://github.com/{user}/{repo}/issues/{index}", + valid: true, + }, + { + description: "Local external tracker URL with all placeholders", + url: "https://127.0.0.1/{user}/{repo}/issues/{index}", + valid: false, + }, + { + description: "External tracker URL with typo placeholder", + url: "https://github.com/{user}/{repo/issues/{index}", + valid: false, + }, + { + description: "External tracker URL with typo placeholder", + url: "https://github.com/[user}/{repo/issues/{index}", + valid: false, + }, + { + description: "External tracker URL with typo placeholder", + url: "https://github.com/{user}/repo}/issues/{index}", + valid: false, + }, + { + description: "External tracker URL missing optional placeholder", + url: "https://github.com/{user}/issues/{index}", + valid: true, + }, + { + description: "External tracker URL missing optional placeholder", + url: "https://github.com/{repo}/issues/{index}", + valid: true, + }, + { + description: "External tracker URL missing optional placeholder", + url: "https://github.com/issues/{index}", + valid: true, + }, + { + description: "External tracker URL missing optional placeholder", + url: "https://github.com/issues/{user}", + valid: true, + }, + { + description: "External tracker URL with similar placeholder names test", + url: "https://github.com/user/repo/issues/{index}", + valid: true, + }, + } + + for _, testCase := range cases { + t.Run(testCase.description, func(t *testing.T) { + assert.Equal(t, testCase.valid, IsValidExternalTrackerURLFormat(testCase.url)) + }) + } +} diff --git a/routers/repo/setting.go b/routers/repo/setting.go index 07649982d..767cdacde 100644 --- a/routers/repo/setting.go +++ b/routers/repo/setting.go @@ -249,7 +249,7 @@ func SettingsPost(ctx *context.Context, form auth.RepoSettingForm) { ctx.Redirect(repo.Link() + "/settings") return } - if len(form.TrackerURLFormat) != 0 && !validation.IsValidExternalURL(form.TrackerURLFormat) { + if len(form.TrackerURLFormat) != 0 && !validation.IsValidExternalTrackerURLFormat(form.TrackerURLFormat) { ctx.Flash.Error(ctx.Tr("repo.settings.tracker_url_format_error")) ctx.Redirect(repo.Link() + "/settings") return