diff options
| author | Joe Chen <jc@unknwon.io> | 2022-06-07 21:11:36 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-07 21:11:36 +0800 |
| commit | 9bf748b6c4c9a17d3aa77f6b9abcfae65451febf (patch) | |
| tree | 61e92de48f48737d3df7d62e178af79006d96e09 | |
| parent | e3706575d5d95fee19b8170c510c4fc567d079a3 (diff) | |
http: clean request path from Git endpoints (#7022)
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | internal/pathutil/pathutil_test.go | 4 | ||||
| -rw-r--r-- | internal/route/repo/http.go | 17 |
3 files changed, 17 insertions, 5 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 765d6935..cb3e5cfe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ All notable changes to Gogs are documented in this file. - _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000) - _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009) - _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001) +- _Security:_ Path Traversal in Git HTTP endpoints. [#7002](https://github.com/gogs/gogs/issues/7002) - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761) - Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967) - Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963) diff --git a/internal/pathutil/pathutil_test.go b/internal/pathutil/pathutil_test.go index d20e537a..7444c82a 100644 --- a/internal/pathutil/pathutil_test.go +++ b/internal/pathutil/pathutil_test.go @@ -28,6 +28,10 @@ func TestClean(t *testing.T) { wantVal: "a/readme.txt", }, { + path: "../../objects/info/..", + wantVal: "objects", + }, + { path: "/a/readme.txt", wantVal: "a/readme.txt", }, diff --git a/internal/route/repo/http.go b/internal/route/repo/http.go index 575719f1..668c4cfa 100644 --- a/internal/route/repo/http.go +++ b/internal/route/repo/http.go @@ -24,6 +24,7 @@ import ( "gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/db" "gogs.io/gogs/internal/lazyregexp" + "gogs.io/gogs/internal/pathutil" "gogs.io/gogs/internal/tool" ) @@ -408,15 +409,21 @@ func HTTP(c *HTTPContext) { } if route.method != c.Req.Method { - c.NotFound() + c.Error(http.StatusNotFound) return } - file := strings.TrimPrefix(reqPath, m[1]+"/") - dir, err := getGitRepoPath(m[1]) + cleaned := pathutil.Clean(m[1]) + if m[1] != "/"+cleaned { + c.Error(http.StatusBadRequest, "Request path contains suspicious characters") + return + } + + file := strings.TrimPrefix(reqPath, cleaned) + dir, err := getGitRepoPath(cleaned) if err != nil { log.Warn("HTTP.getGitRepoPath: %v", err) - c.NotFound() + c.Error(http.StatusNotFound) return } @@ -435,5 +442,5 @@ func HTTP(c *HTTPContext) { return } - c.NotFound() + c.Error(http.StatusNotFound) } |