api: clean file path for updating repo contents (#7859)

## Describe the pull request

Link to the issue: closes https://github.com/gogs/gogs/issues/7582

internal/database/repo_editor.go

@@ -541,6 +541,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
 			continue
 		}
 
+		// 🚨 SECURITY: Prevent path traversal.
 		upload.Name = pathutil.Clean(upload.Name)
 
 		// 🚨 SECURITY: Prevent uploading files into the ".git" directory

internal/pathutil/pathutil.go

@@ -11,6 +11,9 @@ import (
 
 // Clean cleans up given path and returns a relative path that goes straight
 // down to prevent path traversal.
+//
+// 🚨 SECURITY: This function MUST be used for any user input that is used as
+// file system path to prevent path traversal.
 func Clean(p string) string {
 	p = strings.ReplaceAll(p, `\`, "/")
 	return strings.Trim(path.Clean("/"+p), "/")

internal/route/api/v1/repo/contents.go

@@ -16,6 +16,7 @@ import (
 	"gogs.io/gogs/internal/context"
 	"gogs.io/gogs/internal/database"
 	"gogs.io/gogs/internal/gitutil"
+	"gogs.io/gogs/internal/pathutil"
 	"gogs.io/gogs/internal/repoutil"
 )
 
@@ -120,7 +121,8 @@ func GetContents(c *context.APIContext) {
 		return
 	}
 
-	treePath := c.Params("*")
+	// 🚨 SECURITY: Prevent path traversal.
+	treePath := pathutil.Clean(c.Params("*"))
 	entry, err := commit.TreeEntry(treePath)
 	if err != nil {
 		c.NotFoundOrError(gitutil.NewError(err), "get tree entry")
@@ -188,7 +190,10 @@ func PutContents(c *context.APIContext, r PutContentsRequest) {
 	if r.Branch == "" {
 		r.Branch = c.Repo.Repository.DefaultBranch
 	}
-	treePath := c.Params("*")
+
+	// 🚨 SECURITY: Prevent path traversal.
+	treePath := pathutil.Clean(c.Params("*"))
+
 	err = c.Repo.Repository.UpdateRepoFile(
 		c.User,
 		database.UpdateRepoFileOptions{

internal/route/repo/editor.go

@@ -135,6 +135,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
 		branchName = f.NewBranchName
 	}
 
+	// 🚨 SECURITY: Prevent path traversal.
 	f.TreePath = pathutil.Clean(f.TreePath)
 	treeNames, treePaths := getParentTreeFields(f.TreePath)
 
@@ -342,6 +343,7 @@ func DeleteFilePost(c *context.Context, f form.DeleteRepoFile) {
 	c.PageIs("Delete")
 	c.Data["BranchLink"] = c.Repo.RepoLink + "/src/" + c.Repo.BranchName
 
+	// 🚨 SECURITY: Prevent path traversal.
 	c.Repo.TreePath = pathutil.Clean(c.Repo.TreePath)
 	c.Data["TreePath"] = c.Repo.TreePath
 
@@ -437,6 +439,7 @@ func UploadFilePost(c *context.Context, f form.UploadRepoFile) {
 		branchName = f.NewBranchName
 	}
 
+	// 🚨 SECURITY: Prevent path traversal.
 	f.TreePath = pathutil.Clean(f.TreePath)
 	treeNames, treePaths := getParentTreeFields(f.TreePath)
 	if len(treeNames) == 0 {

internal/route/repo/http.go

@@ -411,6 +411,7 @@ func HTTP(c *HTTPContext) {
 			return
 		}
 
+		// 🚨 SECURITY: Prevent path traversal.
 		cleaned := pathutil.Clean(m[1])
 		if m[1] != "/"+cleaned {
 			c.Error(http.StatusBadRequest, "Request path contains suspicious characters")