From 751ab2c63505119d9c3b1f458100147d26f49b94 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:10:44 +0100 Subject: [PATCH] test: add failing test for webhook BasicAuth credential exposure --- pkg/webtests/webhook_test.go | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 pkg/webtests/webhook_test.go diff --git a/pkg/webtests/webhook_test.go b/pkg/webtests/webhook_test.go new file mode 100644 index 000000000..6bef5c1f3 --- /dev/null +++ b/pkg/webtests/webhook_test.go @@ -0,0 +1,47 @@ +// Vikunja is a to-do list application to facilitate your life. +// Copyright 2018-present Vikunja and contributors. All rights reserved. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package webtests + +import ( + "testing" + + "code.vikunja.io/api/pkg/models" + "code.vikunja.io/api/pkg/web/handler" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestWebhook(t *testing.T) { + testHandler := webHandlerTest{ + user: &testuser1, + strFunc: func() handler.CObject { + return &models.Webhook{} + }, + t: t, + } + t.Run("ReadAll", func(t *testing.T) { + t.Run("should not expose BasicAuth credentials", func(t *testing.T) { + rec, err := testHandler.testReadAllWithUser(nil, map[string]string{"project": "1"}) + require.NoError(t, err) + assert.Contains(t, rec.Body.String(), `"target_url"`) + assert.NotContains(t, rec.Body.String(), `webhook-user`) + assert.NotContains(t, rec.Body.String(), `webhook-password`) + assert.NotContains(t, rec.Body.String(), `webhook-secret-fixture`) + }) + }) +}