diff options
| author | Joe Chen <jc@unknwon.io> | 2023-02-18 22:15:13 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-18 22:15:13 +0800 |
| commit | 15d0d6a94be0098a8227b6b95bdf2daed105ec41 (patch) | |
| tree | 11508785272d2fbe5d6d136c0448b67bdd51e033 | |
| parent | 0f8c71d3b3fb55b2dad798dcd7594845e5dbe038 (diff) | |
fix(db): correctly check Git path on case-insensitive file system (#7359)
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | internal/db/repo_editor.go | 3 | ||||
| -rw-r--r-- | internal/db/repo_editor_test.go | 9 |
3 files changed, 12 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 279db715..236adf92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ All notable changes to Gogs are documented in this file. ### Fixed - _Security:_ Stored XSS for issue assignees. [#7145](https://github.com/gogs/gogs/issues/7145) +- _Security:_ OS Command Injection in repo editor on case-insensitive file systems. [#7030](https://github.com/gogs/gogs/issues/7030) - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761) - Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. [#7267](https://github.com/gogs/gogs/pull/7267) - Mistakenly include the "data" directory under the custom directory in the Docker setup. [#7343](https://github.com/gogs/gogs/pull/7343) diff --git a/internal/db/repo_editor.go b/internal/db/repo_editor.go index 3edb16e2..0a1c9495 100644 --- a/internal/db/repo_editor.go +++ b/internal/db/repo_editor.go @@ -485,7 +485,10 @@ type UploadRepoFileOptions struct { // isRepositoryGitPath returns true if given path is or resides inside ".git" // path of the repository. +// +// TODO(unknwon): Move to repoutil during refactoring for this file. func isRepositoryGitPath(path string) bool { + path = strings.ToLower(path) return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git/") || strings.Contains(path, `.git\`) || diff --git a/internal/db/repo_editor_test.go b/internal/db/repo_editor_test.go index 6aeed011..f6178eda 100644 --- a/internal/db/repo_editor_test.go +++ b/internal/db/repo_editor_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/assert" ) -func Test_isRepositoryGitPath(t *testing.T) { +func TestIsRepositoryGitPath(t *testing.T) { tests := []struct { path string wantVal bool @@ -21,6 +21,13 @@ func Test_isRepositoryGitPath(t *testing.T) { {path: ".git/hooks", wantVal: true}, {path: "dir/.git", wantVal: true}, + // Case-insensitive file system + {path: ".Git", wantVal: true}, + {path: "./.Git", wantVal: true}, + {path: ".Git/hooks/pre-commit", wantVal: true}, + {path: ".Git/hooks", wantVal: true}, + {path: "dir/.Git", wantVal: true}, + {path: ".gitignore", wantVal: false}, {path: "dir/.gitkeep", wantVal: false}, |