USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

repo_editor: prohibit move files to to `.git` directory (#6986) 

# Conflicts:
#	CHANGELOG.md
pull/7785/head
Joe Chen 2022-05-31 15:10:00 +08:00
parent bcebe673d1
commit 5250403d60
No known key found for this signature in database
GPG Key ID: 0BDE5280C552FF60
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -22,7 +22,6 @@ All notable changes to Gogs are documented in this file.
### Fixed
- _Security:_ SSRF in webhook. [#6901](https://github.com/gogs/gogs/issues/6901)
- _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953)
- _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968)
- _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555)

12
internal/db/repo_editor.go
View File

@ -121,6 +121,11 @@ type UpdateRepoFileOptions struct {
// UpdateRepoFile adds or updates a file in repository.
func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (err error) {
// 🚨 SECURITY: Prevent uploading files into the ".git" directory
if isRepositoryGitPath(opts.NewTreeName) {
return errors.Errorf("bad tree path %q", opts.NewTreeName)
}
repoWorkingPool.CheckIn(com.ToStr(repo.ID))
defer repoWorkingPool.CheckOut(com.ToStr(repo.ID))
@ -446,7 +451,8 @@ type UploadRepoFileOptions struct {
Files []string // In UUID format
}
// isRepositoryGitPath returns true if given path is or resides inside ".git" path of the repository.
// isRepositoryGitPath returns true if given path is or resides inside ".git"
// path of the repository.
func isRepositoryGitPath(path string) bool {
return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator))
}
@ -456,7 +462,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
return nil
}
// Prevent uploading files into the ".git" directory
// 🚨 SECURITY: Prevent uploading files into the ".git" directory
if isRepositoryGitPath(opts.TreePath) {
return errors.Errorf("bad tree path %q", opts.TreePath)
}
@ -496,7 +502,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
upload.Name = pathutil.Clean(upload.Name)
// Prevent uploading files into the ".git" directory
// 🚨 SECURITY: Prevent uploading files into the ".git" directory
if isRepositoryGitPath(upload.Name) {
continue
}