##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

lfs: add the 'lfs' requirement in the changegroup transaction introducing lfs...
lfs: add the 'lfs' requirement in the changegroup transaction introducing lfs A hook like this is how largefiles manages to do the same. Largefiles uses a changegroup hook, but this uses pretxnchangegroup because that actually causes the transaction to rollback in the unlikely event that writing the requirements out fails. Sadly, the requires file itself isn't rolled back if a subsequent hook fails, but that seems trivial. Now that commit, changegroup and convert are covered, I don't think there's any way to get an lfs repo without the requirement. The grep exit code is blotted out of some test-lfs-serve.t tests now showing the requirement, because run-tests.py doesn't support conditionalizing the exit code.
Saurabh Singh - - Load All Authors

File last commit:

r34484:a6d95a8b default
r35520:6bb940de default
Show More
test-hgweb-csp.t
129 lines | 4.7 KiB | text/troff | Tads3Lexer
/ tests / test-hgweb-csp.t
History | Annotation | Raw |Copy content |Copy permalink
#require serve
$ cat > web.conf << EOF
> [paths]
> / = $TESTTMP/*
> EOF
$ hg init repo1
$ cd repo1
$ touch foo
$ hg -q commit -A -m initial
$ cd ..
$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
$ cat hg.pid >> $DAEMON_PIDS
repo index should not send Content-Security-Policy header by default
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
200 Script output follows
static page should not send CSP by default
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
200 Script output follows
repo page should not send CSP by default, should send ETag
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
200 Script output follows
etag: W/"*" (glob)
$ killdaemons.py
Configure CSP without nonce
$ cat >> web.conf << EOF
> [web]
> csp = script-src https://example.com/ 'unsafe-inline'
> EOF
$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
$ cat hg.pid > $DAEMON_PIDS
repo index should send Content-Security-Policy header when enabled
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline'
static page should send CSP when enabled
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline'
repo page should send CSP by default, include etag w/o nonce
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
200 Script output follows
content-security-policy: script-src https://example.com/ 'unsafe-inline'
etag: W/"*" (glob)
nonce should not be added to html if CSP doesn't use it
$ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'
<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
<script type="text/javascript">
<script type="text/javascript">
Configure CSP with nonce
$ killdaemons.py
$ cat >> web.conf << EOF
> csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
> EOF
$ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
$ cat hg.pid > $DAEMON_PIDS
nonce should be substituted in CSP header
$ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
200 Script output follows
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
nonce should be included in CSP for static pages
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
200 Script output follows
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
repo page should have nonce, no ETag
$ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
200 Script output follows
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
nonce should be added to html when used
$ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
<script type="text/javascript" src="/repo1/static/mercurial.js"></script>
<!--[if IE]><script type="text/javascript" src="/repo1/static/excanvas.js"></script><![endif]-->
<script type="text/javascript" nonce="*"> (glob)
<script type="text/javascript" nonce="*"> (glob)
hgweb_mod w/o hgwebdir works as expected
$ killdaemons.py
$ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
$ cat hg.pid > $DAEMON_PIDS
static page sends CSP
$ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
200 Script output follows
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
nonce included in <script> and headers
$ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy | egrep 'content-security-policy|<script'
content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
<script type="text/javascript" src="/static/mercurial.js"></script>
<!--[if IE]><script type="text/javascript" src="/static/excanvas.js"></script><![endif]-->
<script type="text/javascript" nonce="*"> (glob)
<script type="text/javascript" nonce="*"> (glob)