Skip to content

Commit

Permalink
website/public: implement fix for the request url leaking
Browse files Browse the repository at this point in the history
After requesting the url used for requesting '/v1/request' was leaking
into the newly rendered search page because it uses the request URL as is.
We patch it to instead get rewritten to be a '/search' url in input creation

website/public: implement test for csrfLegacyFix

The TestCSRFLegacyFix test should be doing about the same logic as the functions
used in the android app codebases.

mocks: generate extra mock types
  • Loading branch information
Wessie committed May 1, 2024
1 parent 047c7cd commit 85888b2
Show file tree
Hide file tree
Showing 4 changed files with 400 additions and 2 deletions.
2 changes: 1 addition & 1 deletion generate.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
package radio

//go:generate go generate ./rpc/generate.go
//go:generate moq -out mocks/radio.gen.go -pkg mocks . StorageService StorageTx TrackStorage SubmissionStorage UserStorage ManagerService
//go:generate moq -out mocks/radio.gen.go -pkg mocks . StorageService StorageTx TrackStorage SubmissionStorage UserStorage ManagerService SearchService RequestStorage
//go:generate moq -out mocks/templates.gen.go -pkg mocks ./templates/ Executor TemplateSelectable
//go:generate moq -out mocks/util.gen.go -pkg mocks ./mocks/ FS File FileInfo
294 changes: 294 additions & 0 deletions mocks/radio.gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion website/public/search.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,18 @@ func NewSearchSharedInput(s radio.SearchService, rs radio.RequestStorage, r *htt

cd, ok := radio.CalculateCooldown(requestDelay, lastRequest)

// we also use this input if we're making a request, in which case our url
// will be something other than /search that we can't use for the pagination
// logic. We can detect this by looking for a trackid argument and changing
// the url to the expected /search path
uri := r.URL
if r.URL.Query().Has("trackid") {
query := uri.Query()
query.Del("trackid")
uri.RawQuery = query.Encode()
uri.Path = "/search"
}

return &SearchSharedInput{
CSRFTokenInput: csrf.TemplateField(r),
Query: query,
Expand All @@ -86,7 +98,7 @@ func NewSearchSharedInput(s radio.SearchService, rs radio.RequestStorage, r *htt
RequestCooldown: cd,
Page: shared.NewPagination(
page, shared.PageCount(int64(searchResult.TotalHits), searchPageSize),
r.URL,
uri,
),
}, nil
}
Expand Down
Loading

0 comments on commit 85888b2

Please sign in to comment.