USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

repo_editor: check upload `TreePath` and file name ()

pull/6840/head
Joe Chen 2022-03-13 22:18:56 +08:00 committed by GitHub
parent 3e35371754
commit 775901058d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 4 deletions
internal/db

17
internal/db/repo_editor.go
View File

@ -16,6 +16,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/pkg/errors"
gouuid "github.com/satori/go.uuid" gouuid "github.com/satori/go.uuid"
"github.com/unknwon/com" "github.com/unknwon/com"
@ -23,9 +24,10 @@ import (
"gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/conf"
"gogs.io/gogs/internal/cryptoutil" "gogs.io/gogs/internal/cryptoutil"
"gogs.io/gogs/internal/db/errors" dberrors "gogs.io/gogs/internal/db/errors"
"gogs.io/gogs/internal/gitutil" "gogs.io/gogs/internal/gitutil"
"gogs.io/gogs/internal/osutil" "gogs.io/gogs/internal/osutil"
"gogs.io/gogs/internal/pathutil"
"gogs.io/gogs/internal/process" "gogs.io/gogs/internal/process"
"gogs.io/gogs/internal/tool" "gogs.io/gogs/internal/tool"
) )
@ -134,7 +136,7 @@ func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (
if opts.OldBranch != opts.NewBranch { if opts.OldBranch != opts.NewBranch {
// Directly return error if new branch already exists in the server // Directly return error if new branch already exists in the server
if git.RepoHasBranch(repoPath, opts.NewBranch) { if git.RepoHasBranch(repoPath, opts.NewBranch) {
return errors.BranchAlreadyExists{Name: opts.NewBranch} return dberrors.BranchAlreadyExists{Name: opts.NewBranch}
} }
// Otherwise, delete branch from local copy in case out of sync // Otherwise, delete branch from local copy in case out of sync
@ -449,11 +451,16 @@ func isRepositoryGitPath(path string) bool {
return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator)) return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator))
} }
func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) (err error) { func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) error {
if len(opts.Files) == 0 { if len(opts.Files) == 0 {
return nil return nil
} }
// Prevent uploading files into the ".git" directory
if isRepositoryGitPath(opts.TreePath) {
return errors.Errorf("bad tree path %q", opts.TreePath)
}
uploads, err := GetUploadsByUUIDs(opts.Files) uploads, err := GetUploadsByUUIDs(opts.Files)
if err != nil { if err != nil {
return fmt.Errorf("get uploads by UUIDs[%v]: %v", opts.Files, err) return fmt.Errorf("get uploads by UUIDs[%v]: %v", opts.Files, err)
@ -487,7 +494,9 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
continue continue
} }
// Prevent copying files into .git directory, see https://gogs.io/gogs/issues/5558. upload.Name = pathutil.Clean(upload.Name)
// Prevent uploading files into the ".git" directory
if isRepositoryGitPath(upload.Name) { if isRepositoryGitPath(upload.Name) {
continue continue
} }