diff options
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | internal/db/issue.go | 4 | ||||
| -rw-r--r-- | internal/db/repo.go | 5 | ||||
| -rw-r--r-- | internal/db/users.go | 2 | ||||
| -rw-r--r-- | internal/db/users_test.go | 2 |
5 files changed, 14 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index fb2fb889..c8180a80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ All notable changes to Gogs are documented in this file. ### Fixed +- _Security:_ Stored XSS for issue assignees. [#7145](https://github.com/gogs/gogs/issues/7145) - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761) - Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. [#7267](https://github.com/gogs/gogs/pull/7267) - Mistakenly include the "data" directory under the custom directory in the Docker setup. [#7343](https://github.com/gogs/gogs/pull/7343) diff --git a/internal/db/issue.go b/internal/db/issue.go index 74bf837a..ef54e172 100644 --- a/internal/db/issue.go +++ b/internal/db/issue.go @@ -19,6 +19,7 @@ import ( "gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/db/errors" "gogs.io/gogs/internal/errutil" + "gogs.io/gogs/internal/markup" "gogs.io/gogs/internal/tool" ) @@ -88,6 +89,9 @@ func getUserByID(e Engine, id int64) (*User, error) { } else if !has { return nil, ErrUserNotExist{args: errutil.Args{"userID": id}} } + + // TODO(unknwon): Rely on AfterFind hook to sanitize user full name. + u.FullName = markup.Sanitize(u.FullName) return u, nil } diff --git a/internal/db/repo.go b/internal/db/repo.go index dbda2089..28a211fc 100644 --- a/internal/db/repo.go +++ b/internal/db/repo.go @@ -503,6 +503,11 @@ func (repo *Repository) getUsersWithAccesMode(e Engine, mode AccessMode) (_ []*U if err = e.In("id", userIDs).Find(&users); err != nil { return nil, err } + + // TODO(unknwon): Rely on AfterFind hook to sanitize user full name. + for _, u := range users { + u.FullName = markup.Sanitize(u.FullName) + } } if !repo.Owner.IsOrganization() { users = append(users, repo.Owner) diff --git a/internal/db/users.go b/internal/db/users.go index b33772c0..631a7ff8 100644 --- a/internal/db/users.go +++ b/internal/db/users.go @@ -24,6 +24,7 @@ import ( "gogs.io/gogs/internal/cryptoutil" "gogs.io/gogs/internal/dbutil" "gogs.io/gogs/internal/errutil" + "gogs.io/gogs/internal/markup" "gogs.io/gogs/internal/osutil" "gogs.io/gogs/internal/repoutil" "gogs.io/gogs/internal/strutil" @@ -1132,6 +1133,7 @@ func (u *User) BeforeCreate(tx *gorm.DB) error { // AfterFind implements the GORM query hook. func (u *User) AfterFind(_ *gorm.DB) error { + u.FullName = markup.Sanitize(u.FullName) u.Created = time.Unix(u.CreatedUnix, 0).Local() u.Updated = time.Unix(u.UpdatedUnix, 0).Local() return nil diff --git a/internal/db/users_test.go b/internal/db/users_test.go index edb9c1dd..d83ffe50 100644 --- a/internal/db/users_test.go +++ b/internal/db/users_test.go @@ -68,10 +68,12 @@ func TestUser_AfterFind(t *testing.T) { } user := &User{ + FullName: "user1<script src=http://localhost:8181/xss.js>", CreatedUnix: now.Unix(), UpdatedUnix: now.Unix(), } _ = user.AfterFind(db) + assert.Equal(t, "user1", user.FullName) assert.Equal(t, user.CreatedUnix, user.Created.Unix()) assert.Equal(t, user.UpdatedUnix, user.Updated.Unix()) } |