diff options
| author | Joe Chen <jc@unknwon.io> | 2022-03-13 22:18:56 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-13 22:18:56 +0800 |
| commit | 775901058d8a7ca1a58901b7eef3ee768e39612e (patch) | |
| tree | 8b3786818c4e63cc13a001b1b5a27ead1a11426d /internal | |
| parent | 3e353717540950a1459b3da7f28cc50df4a52119 (diff) | |
repo_editor: check upload `TreePath` and file name (#6838)
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/db/repo_editor.go | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/internal/db/repo_editor.go b/internal/db/repo_editor.go index 652d6944..99f982ab 100644 --- a/internal/db/repo_editor.go +++ b/internal/db/repo_editor.go @@ -16,6 +16,7 @@ import ( "strings" "time" + "github.com/pkg/errors" gouuid "github.com/satori/go.uuid" "github.com/unknwon/com" @@ -23,9 +24,10 @@ import ( "gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/cryptoutil" - "gogs.io/gogs/internal/db/errors" + dberrors "gogs.io/gogs/internal/db/errors" "gogs.io/gogs/internal/gitutil" "gogs.io/gogs/internal/osutil" + "gogs.io/gogs/internal/pathutil" "gogs.io/gogs/internal/process" "gogs.io/gogs/internal/tool" ) @@ -134,7 +136,7 @@ func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) ( if opts.OldBranch != opts.NewBranch { // Directly return error if new branch already exists in the server if git.RepoHasBranch(repoPath, opts.NewBranch) { - return errors.BranchAlreadyExists{Name: opts.NewBranch} + return dberrors.BranchAlreadyExists{Name: opts.NewBranch} } // Otherwise, delete branch from local copy in case out of sync @@ -449,11 +451,16 @@ func isRepositoryGitPath(path string) bool { return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator)) } -func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) (err error) { +func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) error { if len(opts.Files) == 0 { return nil } + // Prevent uploading files into the ".git" directory + if isRepositoryGitPath(opts.TreePath) { + return errors.Errorf("bad tree path %q", opts.TreePath) + } + uploads, err := GetUploadsByUUIDs(opts.Files) if err != nil { return fmt.Errorf("get uploads by UUIDs[%v]: %v", opts.Files, err) @@ -487,7 +494,9 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) continue } - // Prevent copying files into .git directory, see https://gogs.io/gogs/issues/5558. + upload.Name = pathutil.Clean(upload.Name) + + // Prevent uploading files into the ".git" directory if isRepositoryGitPath(upload.Name) { continue } |