mirror of
https://github.com/facebook/sapling.git
synced 2024-10-12 01:39:21 +03:00
4a7b28d08b
Summary: Previously `hg server` uses `HGPORT` that might be in use. This patch uses `-p 0 --port-file ...` so `hg server` always gets assigned a free port. The change was first made by the following Ruby script: ``` re = /^ \$ hg serve(.*) -p \$(HGPORT[12]?) (.*[^\\])$\n \$/ Dir['*.t'].each do |path| old = File.read(path) new = old.lines.map do |l| next l if l[/\(glob\)/] or not l['$HGPORT'] or l[/^ [$>]/] "#{l.chomp} (glob)\n" end.join.gsub re, <<-'EOS'.chomp $ hg serve\1 -p 0 --port-file $TESTTMP/.port \3 $ \2=`cat $TESTTMP/.port` $ EOS File.write(path, new) if old != new end ``` Then there are some manual changes: run-tests.py: It now treats `$HGPORT` in output as glob pattern `*`, since it does not know the assigned value in tests. test-bookmarks-pushpull.t, test-https.t: Some `hg pull`s were changed to use explicit paths instead of relying on `.hgrc` since the test restarts the server and `.hg/hgrc` having an outdated URL. test-schemes.t: The test writes `$HGPORT` to `.hgrc` before assigning it. Changed the order so the correct `$HGPORT` is written. test-patchbomb-tls.t: Changed `(?) (glob)` to `(glob) (?)`. Reviewed By: DurhamG Differential Revision: D6925398 fbshipit-source-id: d5c10476f43ce23f9e99618807580cf8ba92595c
134 lines
4.9 KiB
Perl
134 lines
4.9 KiB
Perl
#require serve
|
|
|
|
$ cat > web.conf << EOF
|
|
> [paths]
|
|
> / = $TESTTMP/*
|
|
> EOF
|
|
|
|
$ hg init repo1
|
|
$ cd repo1
|
|
$ touch foo
|
|
$ hg -q commit -A -m initial
|
|
$ cd ..
|
|
|
|
$ hg serve -p 0 --port-file $TESTTMP/.port -d --pid-file=hg.pid --web-conf web.conf
|
|
$ HGPORT=`cat $TESTTMP/.port`
|
|
$ cat hg.pid >> $DAEMON_PIDS
|
|
|
|
repo index should not send Content-Security-Policy header by default
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
|
|
200 Script output follows
|
|
|
|
static page should not send CSP by default
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
|
|
200 Script output follows
|
|
|
|
repo page should not send CSP by default, should send ETag
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
|
|
200 Script output follows
|
|
etag: W/"*" (glob)
|
|
|
|
$ killdaemons.py
|
|
|
|
Configure CSP without nonce
|
|
|
|
$ cat >> web.conf << EOF
|
|
> [web]
|
|
> csp = script-src https://example.com/ 'unsafe-inline'
|
|
> EOF
|
|
|
|
$ hg serve -p 0 --port-file $TESTTMP/.port -d --pid-file=hg.pid --web-conf web.conf
|
|
$ HGPORT=`cat $TESTTMP/.port`
|
|
$ cat hg.pid > $DAEMON_PIDS
|
|
|
|
repo index should send Content-Security-Policy header when enabled
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
|
|
200 Script output follows
|
|
content-security-policy: script-src https://example.com/ 'unsafe-inline'
|
|
|
|
static page should send CSP when enabled
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
|
|
200 Script output follows
|
|
content-security-policy: script-src https://example.com/ 'unsafe-inline'
|
|
|
|
repo page should send CSP by default, include etag w/o nonce
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
|
|
200 Script output follows
|
|
content-security-policy: script-src https://example.com/ 'unsafe-inline'
|
|
etag: W/"*" (glob)
|
|
|
|
nonce should not be added to html if CSP doesn't use it
|
|
|
|
$ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'
|
|
<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
|
|
<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
|
|
<script type="text/javascript">
|
|
<script type="text/javascript">
|
|
|
|
Configure CSP with nonce
|
|
|
|
$ killdaemons.py
|
|
$ cat >> web.conf << EOF
|
|
> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
|
|
> EOF
|
|
|
|
$ hg serve -p 0 --port-file $TESTTMP/.port -d --pid-file=hg.pid --web-conf web.conf
|
|
$ HGPORT=`cat $TESTTMP/.port`
|
|
$ cat hg.pid > $DAEMON_PIDS
|
|
|
|
nonce should be substituted in CSP header
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
|
|
200 Script output follows
|
|
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
|
|
|
|
nonce should be included in CSP for static pages
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
|
|
200 Script output follows
|
|
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
|
|
|
|
repo page should have nonce, no ETag
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
|
|
200 Script output follows
|
|
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
|
|
|
|
nonce should be added to html when used
|
|
|
|
$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'
|
|
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
|
|
<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
|
|
<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
|
|
<script type="text/javascript" nonce="*"> (glob)
|
|
<script type="text/javascript" nonce="*"> (glob)
|
|
|
|
hgweb_mod w/o hgwebdir works as expected
|
|
|
|
$ killdaemons.py
|
|
|
|
$ hg serve -R repo1 -p 0 --port-file $TESTTMP/.port -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
|
|
$ HGPORT=`cat $TESTTMP/.port`
|
|
$ cat hg.pid > $DAEMON_PIDS
|
|
|
|
static page sends CSP
|
|
|
|
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
|
|
200 Script output follows
|
|
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
|
|
|
|
nonce included in <script> and headers
|
|
|
|
$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script'
|
|
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
|
|
<script type="text/javascript" src="/static/mercurial.js"></script>
|
|
<!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->
|
|
<script type="text/javascript" nonce="*"> (glob)
|
|
<script type="text/javascript" nonce="*"> (glob)
|