diff options
| author | Joe Chen <jc@unknwon.io> | 2022-05-31 15:10:00 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-31 15:10:00 +0800 |
| commit | 90bc75229726a24a28507d3e8178f86734f112e1 (patch) | |
| tree | a9b372b4176e10a752b7102022b45002a45935d8 | |
| parent | 519aeefbd93adad833cb45ba36f71622d3068223 (diff) | |
repo_editor: prohibit move files to to `.git` directory (#6986)
| -rw-r--r-- | CHANGELOG.md | 3 | ||||
| -rw-r--r-- | internal/db/repo_editor.go | 12 |
2 files changed, 12 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d0623d9..7d159bfa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,9 @@ All notable changes to Gogs are documented in this file. ### Fixed +- _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953) +- _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968) +- _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555) - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761) ### Removed diff --git a/internal/db/repo_editor.go b/internal/db/repo_editor.go index 53a733a7..9d4664be 100644 --- a/internal/db/repo_editor.go +++ b/internal/db/repo_editor.go @@ -121,6 +121,11 @@ type UpdateRepoFileOptions struct { // UpdateRepoFile adds or updates a file in repository. func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (err error) { + // 🚨 SECURITY: Prevent uploading files into the ".git" directory + if isRepositoryGitPath(opts.NewTreeName) { + return errors.Errorf("bad tree path %q", opts.NewTreeName) + } + repoWorkingPool.CheckIn(com.ToStr(repo.ID)) defer repoWorkingPool.CheckOut(com.ToStr(repo.ID)) @@ -458,7 +463,8 @@ type UploadRepoFileOptions struct { Files []string // In UUID format } -// isRepositoryGitPath returns true if given path is or resides inside ".git" path of the repository. +// isRepositoryGitPath returns true if given path is or resides inside ".git" +// path of the repository. func isRepositoryGitPath(path string) bool { return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator)) || @@ -472,7 +478,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) return nil } - // Prevent uploading files into the ".git" directory + // 🚨 SECURITY: Prevent uploading files into the ".git" directory if isRepositoryGitPath(opts.TreePath) { return errors.Errorf("bad tree path %q", opts.TreePath) } @@ -512,7 +518,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) upload.Name = pathutil.Clean(upload.Name) - // Prevent uploading files into the ".git" directory + // 🚨 SECURITY: Prevent uploading files into the ".git" directory if isRepositoryGitPath(upload.Name) { continue } |