From d54d5952f25828e84f7024aae6e62d1a18b788ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= <loic@dachary.org>
Date: Sun, 12 Nov 2023 20:01:24 +0100
Subject: [PATCH] [GITEA] test POST
 /{username}/{reponame}/{tags,release}/delete

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers

(cherry picked from commit 78dcbb62fe87abe044034d880c9e8c22b44c2c98)
(cherry picked from commit 6707c08c1791926060a7735529f1945650030257)
(cherry picked from commit 68da5a9cd82415caedac15a07e38206f7bd6fbde)
(cherry picked from commit c27fb08cb00f130870d6059a0ebb67b505a3c252)
(cherry picked from commit f15a2c558a74aaf954550c71974593bf012004db)
(cherry picked from commit 8eb3ae693922fdb65a185ee63703b866d10fa60a)
---
 tests/integration/release_test.go | 38 +++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tests/integration/release_test.go b/tests/integration/release_test.go
index 439e315347..96fcff0963 100644
--- a/tests/integration/release_test.go
+++ b/tests/integration/release_test.go
@@ -93,6 +93,44 @@ func TestCreateRelease(t *testing.T) {
 	checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.1", translation.NewLocale("en-US").Tr("repo.release.stable"), 4)
 }
 
+func TestDeleteRelease(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 57, OwnerName: "user2", LowerName: "repo-release"})
+	release := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{TagName: "v2.0"})
+	assert.False(t, release.IsTag)
+
+	// Using the ID of a comment that does not belong to the repository must fail
+	session5 := loginUser(t, "user5")
+	otherRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{OwnerName: "user5", LowerName: "repo4"})
+
+	req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/releases/delete?id=%d", otherRepo.Link(), release.ID), map[string]string{
+		"_csrf": GetCSRF(t, session5, otherRepo.Link()),
+	})
+	session5.MakeRequest(t, req, http.StatusNotFound)
+
+	session := loginUser(t, "user2")
+	req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/releases/delete?id=%d", repo.Link(), release.ID), map[string]string{
+		"_csrf": GetCSRF(t, session, repo.Link()),
+	})
+	session.MakeRequest(t, req, http.StatusOK)
+	release = unittest.AssertExistsAndLoadBean(t, &repo_model.Release{ID: release.ID})
+
+	if assert.True(t, release.IsTag) {
+		req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/tags/delete?id=%d", otherRepo.Link(), release.ID), map[string]string{
+			"_csrf": GetCSRF(t, session5, otherRepo.Link()),
+		})
+		session5.MakeRequest(t, req, http.StatusNotFound)
+
+		req = NewRequestWithValues(t, "POST", fmt.Sprintf("%s/tags/delete?id=%d", repo.Link(), release.ID), map[string]string{
+			"_csrf": GetCSRF(t, session, repo.Link()),
+		})
+		session.MakeRequest(t, req, http.StatusOK)
+
+		unittest.AssertNotExistsBean(t, &repo_model.Release{ID: release.ID})
+	}
+}
+
 func TestCreateReleasePreRelease(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()