mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-13 06:20:24 +00:00
63ec90b0ef
**Backport:** #7025 Resolves #6266 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7025 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Co-committed-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Backported due to `make security-check` failing in `v11.0/forgejo` branch due to a new registered vulnerability in the github.com/nwaples/rardecode. ``` /home/forgejo/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.3.linux-amd64/bin/go run golang.org/x/vuln/cmd/govulncheck@v1 ./... === Symbol Results === Vulnerability #1: GO-2025-4020 DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode More info: https://pkg.go.dev/vuln/GO-2025-4020 Module: github.com/nwaples/rardecode Found in: github.com/nwaples/rardecode@v1.1.3 Fixed in: N/A Example traces found: #1: modules/git/repo_commit.go:263:24: git.Repository.CommitsByFileAndRange calls io.ReadFull, which eventually calls rardecode.cipherBlockReader.Read #2: modules/packages/arch/metadata.go:22:2: arch.init calls archiver.init, which calls rardecode.init #3: modules/git/repo_language_stats.go:198:32: git.Repository.GetLanguageStats calls bytes.Buffer.ReadFrom, which calls rardecode.limitedReader.Read Your code is affected by 1 vulnerability from 1 module. This scan also found 1 vulnerability in packages you import and 0 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. exit status 3 make: *** [Makefile:526: security-check] Error 1 ``` Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10043 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
126 lines
3.5 KiB
Go
126 lines
3.5 KiB
Go
// Copyright 2024 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/mholt/archives"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func mockArchiverAsync(ch chan archives.ArchiveAsyncJob, files *[]string) {
|
|
for job := range ch {
|
|
*files = append(*files, job.File.NameInArchive)
|
|
job.Result <- nil
|
|
}
|
|
}
|
|
|
|
func TestAddRecursiveExclude(t *testing.T) {
|
|
t.Run("Empty", func(t *testing.T) {
|
|
ch := make(chan archives.ArchiveAsyncJob)
|
|
var files []string
|
|
go mockArchiverAsync(ch, &files)
|
|
|
|
dir := t.TempDir()
|
|
|
|
err := addRecursiveExclude(ch, "", dir, []string{}, false)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, files)
|
|
})
|
|
|
|
t.Run("Single file", func(t *testing.T) {
|
|
dir := t.TempDir()
|
|
err := os.WriteFile(dir+"/example", nil, 0o666)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("No exclude", func(t *testing.T) {
|
|
ch := make(chan archives.ArchiveAsyncJob)
|
|
var files []string
|
|
go mockArchiverAsync(ch, &files)
|
|
|
|
err := addRecursiveExclude(ch, "", dir, nil, false)
|
|
require.NoError(t, err)
|
|
|
|
assert.Len(t, files, 1)
|
|
assert.Contains(t, files, "example")
|
|
})
|
|
|
|
t.Run("With exclude", func(t *testing.T) {
|
|
ch := make(chan archives.ArchiveAsyncJob)
|
|
var files []string
|
|
go mockArchiverAsync(ch, &files)
|
|
|
|
err := addRecursiveExclude(ch, "", dir, []string{dir + "/example"}, false)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, files)
|
|
})
|
|
})
|
|
|
|
t.Run("File inside directory", func(t *testing.T) {
|
|
dir := t.TempDir()
|
|
err := os.MkdirAll(dir+"/deep/nested/folder", 0o750)
|
|
require.NoError(t, err)
|
|
err = os.WriteFile(dir+"/deep/nested/folder/example", nil, 0o666)
|
|
require.NoError(t, err)
|
|
err = os.WriteFile(dir+"/deep/nested/folder/another-file", nil, 0o666)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("No exclude", func(t *testing.T) {
|
|
ch := make(chan archives.ArchiveAsyncJob)
|
|
var files []string
|
|
go mockArchiverAsync(ch, &files)
|
|
|
|
err := addRecursiveExclude(ch, "", dir, nil, false)
|
|
require.NoError(t, err)
|
|
assert.Len(t, files, 5)
|
|
|
|
assert.Contains(t, files, "deep")
|
|
assert.Contains(t, files, "deep/nested")
|
|
assert.Contains(t, files, "deep/nested/folder")
|
|
assert.Contains(t, files, "deep/nested/folder/example")
|
|
assert.Contains(t, files, "deep/nested/folder/another-file")
|
|
})
|
|
|
|
t.Run("Exclude first directory", func(t *testing.T) {
|
|
ch := make(chan archives.ArchiveAsyncJob)
|
|
var files []string
|
|
go mockArchiverAsync(ch, &files)
|
|
|
|
err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep"}, false)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, files)
|
|
})
|
|
|
|
t.Run("Exclude nested directory", func(t *testing.T) {
|
|
ch := make(chan archives.ArchiveAsyncJob)
|
|
var files []string
|
|
go mockArchiverAsync(ch, &files)
|
|
|
|
err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder"}, false)
|
|
require.NoError(t, err)
|
|
assert.Len(t, files, 2)
|
|
|
|
assert.Contains(t, files, "deep")
|
|
assert.Contains(t, files, "deep/nested")
|
|
})
|
|
|
|
t.Run("Exclude file", func(t *testing.T) {
|
|
ch := make(chan archives.ArchiveAsyncJob)
|
|
var files []string
|
|
go mockArchiverAsync(ch, &files)
|
|
|
|
err := addRecursiveExclude(ch, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
|
|
require.NoError(t, err)
|
|
assert.Len(t, files, 4)
|
|
|
|
assert.Contains(t, files, "deep")
|
|
assert.Contains(t, files, "deep/nested")
|
|
assert.Contains(t, files, "deep/nested/folder")
|
|
assert.Contains(t, files, "deep/nested/folder/another-file")
|
|
})
|
|
})
|
|
}
|