From 2b0f129a9121d8fe17dcd1deccfae03f50d82a79 Mon Sep 17 00:00:00 2001 From: Joe Chen Date: Sun, 22 Dec 2024 16:37:51 -0500 Subject: [PATCH] dep: update github.com/gogs/git-module to v1.8.4 (#7872) Fixes https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg by including https://github.com/gogs/git-module/pull/110 --- CODEOWNERS | 2 ++ go.mod | 4 ++-- go.sum | 8 +++++--- internal/db/release.go | 4 ++-- internal/db/repo_editor.go | 2 +- 5 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 000000000..dd3d002b0 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# Default +* @gogs/core diff --git a/go.mod b/go.mod index 736b75d67..4d33ab924 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/go-macaron/toolbox v0.0.0-20190813233741-94defb8383c6 github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14 - github.com/gogs/git-module v1.8.1 + github.com/gogs/git-module v1.8.4 github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4 github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0 github.com/gogs/minwinsvc v0.0.0-20170301035411-95be6356811a @@ -37,7 +37,7 @@ require ( github.com/satori/go.uuid v1.2.0 github.com/sergi/go-diff v1.3.1 github.com/sourcegraph/run v0.12.0 - github.com/stretchr/testify v1.9.0 + github.com/stretchr/testify v1.10.0 github.com/unknwon/cae v1.0.2 github.com/unknwon/com v1.0.1 github.com/unknwon/i18n v0.0.0-20190805065654-5c6446a380b6 diff --git a/go.sum b/go.sum index 38aa2fc9c..c59123bcf 100644 --- a/go.sum +++ b/go.sum @@ -166,8 +166,8 @@ github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561 h1:aBzukfDxQlCTVS0NBU github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14= github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14 h1:yXtpJr/LV6PFu4nTLgfjQdcMdzjbqqXMEnHfq0Or6p8= github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14/go.mod h1:jPoNZLWDAqA5N3G5amEoiNbhVrmM+ZQEcnQvNQ2KaZk= -github.com/gogs/git-module v1.8.1 h1:yC5BZ3unJOXC8N6/FgGQ8EtJXpOd217lgDcd2aPOxkc= -github.com/gogs/git-module v1.8.1/go.mod h1:Y3rsSqtFZEbn7lp+3gWf42GKIY1eNTtLt7JrmOy0yAQ= +github.com/gogs/git-module v1.8.4 h1:oSt8sOL4NWOGrSo/CwbS+C4YXtk76QvxyPofem/ViTU= +github.com/gogs/git-module v1.8.4/go.mod h1:bQY0aoMK5Q5+NKgy4jXe3K1GFW+GnsSk0SJK0jh6yD0= github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4 h1:C7NryI/RQhsIWwC2bHN601P1wJKeuQ6U/UCOYTn3Cic= github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU= github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0 h1:K02vod+sn3M1OOkdqi2tPxN2+xESK4qyITVQ3JkGEv4= @@ -473,8 +473,9 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ= github.com/unknwon/cae v1.0.2 h1:3L8/RCN1ARvD5quyNjU30EdvYkFbxBfnRcIBXugpHlg= github.com/unknwon/cae v1.0.2/go.mod h1:HqpmD2fVq9G1oGEXrXzbgIp51uJ29Hshv41n9ljm+AA= @@ -615,6 +616,7 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= diff --git a/internal/db/release.go b/internal/db/release.go index 26b7595d3..82868bc8f 100644 --- a/internal/db/release.go +++ b/internal/db/release.go @@ -125,8 +125,8 @@ func createTag(gitRepo *git.Repository, r *Release) error { return fmt.Errorf("get branch commit: %v", err) } - // Trim '--' prefix to prevent command line argument vulnerability. - r.TagName = strings.TrimPrefix(r.TagName, "--") + // 🚨 SECURITY: Trim any leading '-' to prevent command line argument injection. + r.TagName = strings.TrimLeft(r.TagName, "-") if err = gitRepo.CreateTag(r.TagName, commit.ID.String()); err != nil { if strings.Contains(err.Error(), "is not a valid tag name") { return ErrInvalidTagName{r.TagName} diff --git a/internal/db/repo_editor.go b/internal/db/repo_editor.go index a7786822f..a39a31b15 100644 --- a/internal/db/repo_editor.go +++ b/internal/db/repo_editor.go @@ -243,7 +243,7 @@ func (repo *Repository) GetDiffPreview(branch, treePath, content string) (diff * return nil, fmt.Errorf("write file: %v", err) } - // 🚨 SECURITY: Prevent including unintended options in the path to the git command. + // 🚨 SECURITY: Prevent including unintended options in the path to the Git command. cmd := exec.Command("git", "diff", "--end-of-options", treePath) cmd.Dir = localPath cmd.Stderr = os.Stderr