diff options
| author | Joe Chen <jc@unknwon.io> | 2023-02-14 21:46:09 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-14 21:46:09 +0800 |
| commit | 8f9895acaf43c0141269956aa174d91b7346d5a4 (patch) | |
| tree | 744582c1bcd1ced72d5bc9423e95d83a8d401882 /internal/db | |
| parent | 2a375007eed6529c464a14e0bd963bfd3d4cd2dc (diff) | |
fix(db): sanitize user full name after find (#7353)
Diffstat (limited to 'internal/db')
| -rw-r--r-- | internal/db/issue.go | 4 | ||||
| -rw-r--r-- | internal/db/repo.go | 5 | ||||
| -rw-r--r-- | internal/db/users.go | 2 | ||||
| -rw-r--r-- | internal/db/users_test.go | 2 |
4 files changed, 13 insertions, 0 deletions
diff --git a/internal/db/issue.go b/internal/db/issue.go index 74bf837a..ef54e172 100644 --- a/internal/db/issue.go +++ b/internal/db/issue.go @@ -19,6 +19,7 @@ import ( "gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/db/errors" "gogs.io/gogs/internal/errutil" + "gogs.io/gogs/internal/markup" "gogs.io/gogs/internal/tool" ) @@ -88,6 +89,9 @@ func getUserByID(e Engine, id int64) (*User, error) { } else if !has { return nil, ErrUserNotExist{args: errutil.Args{"userID": id}} } + + // TODO(unknwon): Rely on AfterFind hook to sanitize user full name. + u.FullName = markup.Sanitize(u.FullName) return u, nil } diff --git a/internal/db/repo.go b/internal/db/repo.go index dbda2089..28a211fc 100644 --- a/internal/db/repo.go +++ b/internal/db/repo.go @@ -503,6 +503,11 @@ func (repo *Repository) getUsersWithAccesMode(e Engine, mode AccessMode) (_ []*U if err = e.In("id", userIDs).Find(&users); err != nil { return nil, err } + + // TODO(unknwon): Rely on AfterFind hook to sanitize user full name. + for _, u := range users { + u.FullName = markup.Sanitize(u.FullName) + } } if !repo.Owner.IsOrganization() { users = append(users, repo.Owner) diff --git a/internal/db/users.go b/internal/db/users.go index b33772c0..631a7ff8 100644 --- a/internal/db/users.go +++ b/internal/db/users.go @@ -24,6 +24,7 @@ import ( "gogs.io/gogs/internal/cryptoutil" "gogs.io/gogs/internal/dbutil" "gogs.io/gogs/internal/errutil" + "gogs.io/gogs/internal/markup" "gogs.io/gogs/internal/osutil" "gogs.io/gogs/internal/repoutil" "gogs.io/gogs/internal/strutil" @@ -1132,6 +1133,7 @@ func (u *User) BeforeCreate(tx *gorm.DB) error { // AfterFind implements the GORM query hook. func (u *User) AfterFind(_ *gorm.DB) error { + u.FullName = markup.Sanitize(u.FullName) u.Created = time.Unix(u.CreatedUnix, 0).Local() u.Updated = time.Unix(u.UpdatedUnix, 0).Local() return nil diff --git a/internal/db/users_test.go b/internal/db/users_test.go index edb9c1dd..d83ffe50 100644 --- a/internal/db/users_test.go +++ b/internal/db/users_test.go @@ -68,10 +68,12 @@ func TestUser_AfterFind(t *testing.T) { } user := &User{ + FullName: "user1<script src=http://localhost:8181/xss.js>", CreatedUnix: now.Unix(), UpdatedUnix: now.Unix(), } _ = user.AfterFind(db) + assert.Equal(t, "user1", user.FullName) assert.Equal(t, user.CreatedUnix, user.Created.Unix()) assert.Equal(t, user.UpdatedUnix, user.Updated.Unix()) } |