diff options
| author | Michael Rowley <michaellrowley@protonmail.com> | 2022-03-08 03:34:53 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-08 11:34:53 +0800 |
| commit | 242deca524dbf922bfb08dadd65455164b9e663e (patch) | |
| tree | b8110c947dba99cf3e8115219a440f79f19bcc14 /internal/form | |
| parent | bb19f52c05e212b9358f9efaa897120dbdf9d0ab (diff) | |
security: fix SSRF in repository migration (#6812)
Co-authored-by: Joe Chen <jc@unknwon.io>
Diffstat (limited to 'internal/form')
| -rw-r--r-- | internal/form/repo.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/internal/form/repo.go b/internal/form/repo.go index ed963307..bc0dc426 100644 --- a/internal/form/repo.go +++ b/internal/form/repo.go @@ -13,6 +13,7 @@ import ( "gopkg.in/macaron.v1" "gogs.io/gogs/internal/db" + "gogs.io/gogs/internal/netutil" ) // _______________________________________ _________.______________________ _______________.___. @@ -69,6 +70,11 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) { if err != nil { return "", db.ErrInvalidCloneAddr{IsURLError: true} } + + if netutil.IsLocalHostname(u.Hostname()) { + return "", db.ErrInvalidCloneAddr{IsURLError: true} + } + if len(f.AuthUsername)+len(f.AuthPassword) > 0 { u.User = url.UserPassword(f.AuthUsername, f.AuthPassword) } |