upstream/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-28 09:44:53 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix(ui): use URL query escaping for SSH key verification reload token link (#12581)

Browse source 
Follow-up of: forgejo/forgejo!9002

Closes: Codeberg/Community#2575

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12581
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
This commit is contained in:
Robert Wolff 2026-05-16 11:51:17 +02:00 committed by Gusted
parent aae19e6c19
commit d4d2c64d23
2 changed files with 10 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
templates/user/settings/keys_ssh.tmpl
View file

@ -74,7 +74,7 @@
<div class="field">
<label for="token">{{ctx.Locale.Tr "settings.ssh_token"}}</label>
<input readonly="" value="{{$.TokenToSign}}">
<span class="help">{{ctx.Locale.Tr "keys.verify.token.hint" (printf "?verify_ssh=%s" .Fingerprint)}}</span>
<span class="help">{{ctx.Locale.Tr "keys.verify.token.hint" (printf "?verify_ssh=%s" (QueryEscape .Fingerprint))}}</span>
<div class="help">
<br>
<p>{{ctx.Locale.Tr "settings.ssh_token_help"}}</p>

17
tests/integration/user_keys_test.go
View file

@ -7,7 +7,6 @@ import (
"fmt"
"net/http"
"net/url"
"strings"
"testing"
"forgejo.org/modules/test"
@ -29,12 +28,15 @@ func TestVerifySSHkeyPage(t *testing.T) {
page = NewHTMLParser(t, session.MakeRequest(t, NewRequest(t, "GET", fmt.Sprintf("/user/settings/keys%s", link)), http.StatusOK).Body)
// QueryUnescape the link for selector matching
link, err := url.QueryUnescape(link)
require.NoError(t, err)
// The hint contains a link to the same page the user is at now to get it reloaded if followed
page.AssertElement(t, fmt.Sprintf("#keys-ssh form[action='/user/settings/keys'] .help a[href='%s']", link), true)
linkShown, exists := page.Find("#keys-ssh form[action='/user/settings/keys'] .help a").Attr("href")
assert.True(t, exists)
// QueryUnescape links before comparison, because they contain "%3a" versus "%3A", both unescaping to ":"
linkUnescaped, err := url.QueryUnescape(link)
require.NoError(t, err)
linkShownUnescaped, err := url.QueryUnescape(linkShown)
require.NoError(t, err)
assert.Equal(t, linkUnescaped, linkShownUnescaped)
// The token changes every minute, we can avoid this sleep via timeutil and mocking.
test.SleepTillNextMinute()
@ -43,8 +45,7 @@ func TestVerifySSHkeyPage(t *testing.T) {
token, exists := page.Find("#keys-ssh form input[readonly]").Attr("value")
assert.True(t, exists)
link = url.QueryEscape(strings.TrimPrefix(link, "?verify_ssh="))
page = NewHTMLParser(t, session.MakeRequest(t, NewRequestf(t, "GET", "/user/settings/keys?verify_ssh=%s", link), http.StatusOK).Body)
page = NewHTMLParser(t, session.MakeRequest(t, NewRequestf(t, "GET", "/user/settings/keys%s", linkShown), http.StatusOK).Body)
otherToken, exists := page.Find("#keys-ssh form .field input[readonly]").Attr("value")
assert.True(t, exists)
assert.NotEqual(t, token, otherToken)