USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: clean request path from Git endpoints (#7022)

pull/7785/head
Joe Chen 2022-06-07 21:11:36 +08:00
parent 20923a8829
commit a24b22c909
No known key found for this signature in database
GPG Key ID: 0BDE5280C552FF60
3 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -25,6 +25,7 @@ All notable changes to Gogs are documented in this file.
- _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000) - _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000)
- _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009) - _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009)
- _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001) - _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001)
- _Security:_ Path Traversal in Git HTTP endpoints. [#7002](https://github.com/gogs/gogs/issues/7002)
- Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761) - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
- Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967) - Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967)
- Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963) - Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963)

4
internal/pathutil/pathutil_test.go
View File

@ -27,6 +27,10 @@ func TestClean(t *testing.T) {
path: "/../a/b/../c/../readme.txt", path: "/../a/b/../c/../readme.txt",
wantVal: "a/readme.txt", wantVal: "a/readme.txt",
}, },
{
path: "../../objects/info/..",
wantVal: "objects",
},
{ {
path: "/a/readme.txt", path: "/a/readme.txt",
wantVal: "a/readme.txt", wantVal: "a/readme.txt",

17
internal/route/repo/http.go
View File

@ -23,6 +23,7 @@ import (
"gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/conf"
"gogs.io/gogs/internal/db" "gogs.io/gogs/internal/db"
"gogs.io/gogs/internal/lazyregexp" "gogs.io/gogs/internal/lazyregexp"
"gogs.io/gogs/internal/pathutil"
"gogs.io/gogs/internal/tool" "gogs.io/gogs/internal/tool"
) )
@ -402,15 +403,21 @@ func HTTP(c *HTTPContext) {
} }
if route.method != c.Req.Method { if route.method != c.Req.Method {
c.NotFound() c.Error(http.StatusNotFound)
return return
} }
file := strings.TrimPrefix(reqPath, m[1]+"/") cleaned := pathutil.Clean(m[1])
dir, err := getGitRepoPath(m[1]) if m[1] != "/"+cleaned {
c.Error(http.StatusBadRequest, "Request path contains suspicious characters")
return
}
file := strings.TrimPrefix(reqPath, cleaned)
dir, err := getGitRepoPath(cleaned)
if err != nil { if err != nil {
log.Warn("HTTP.getGitRepoPath: %v", err) log.Warn("HTTP.getGitRepoPath: %v", err)
c.NotFound() c.Error(http.StatusNotFound)
return return
} }
@ -429,5 +436,5 @@ func HTTP(c *HTTPContext) {
return return
} }
c.NotFound() c.Error(http.StatusNotFound)
} }