From 3b527a36c8b4c2c52fd3bce4d18118b6722d03a2 Mon Sep 17 00:00:00 2001
From: Joe Chen <jc@unknwon.io>
Date: Sun, 22 Dec 2024 15:24:18 -0500
Subject: [PATCH] repo: prevent preview and delete files in `.git` directories
 (#7870)

## Describe the pull request

Fixes
https://github.com/gogs/gogs/security/advisories/GHSA-ccqv-43vm-4f3w
---
 internal/db/repo_editor.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/internal/db/repo_editor.go b/internal/db/repo_editor.go
index 2425f620c..2b3254112 100644
--- a/internal/db/repo_editor.go
+++ b/internal/db/repo_editor.go
@@ -220,6 +220,11 @@ func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (
 
 // GetDiffPreview produces and returns diff result of a file which is not yet committed.
 func (repo *Repository) GetDiffPreview(branch, treePath, content string) (diff *gitutil.Diff, err error) {
+	// 🚨 SECURITY: Prevent uploading files into the ".git" directory
+	if isRepositoryGitPath(treePath) {
+		return nil, errors.Errorf("bad tree path %q", treePath)
+	}
+
 	repoWorkingPool.CheckIn(com.ToStr(repo.ID))
 	defer repoWorkingPool.CheckOut(com.ToStr(repo.ID))
 
@@ -283,6 +288,11 @@ type DeleteRepoFileOptions struct {
 }
 
 func (repo *Repository) DeleteRepoFile(doer *User, opts DeleteRepoFileOptions) (err error) {
+	// 🚨 SECURITY: Prevent uploading files into the ".git" directory
+	if isRepositoryGitPath(opts.TreePath) {
+		return errors.Errorf("bad tree path %q", opts.TreePath)
+	}
+
 	repoWorkingPool.CheckIn(com.ToStr(repo.ID))
 	defer repoWorkingPool.CheckOut(com.ToStr(repo.ID))