USEFULL/gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-05-25 08:54:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

repo/editor: clean up tree path

Browse Source 
Fixes a security issue reported by @zeripath.
This commit is contained in:
ᴜɴᴋɴᴡᴏɴ 2020-02-19 23:45:02 +08:00
parent 33c6341ccd
commit ce1ec81d6f
No known key found for this signature in database
GPG Key ID: B43718D76E30A238
3 changed files with 69 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
internal/pathutil/pathutil.go Normal file
View File

@ -0,0 +1,15 @@
// Copyright 2020 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package pathutil
import (
"path"
"strings"
)
// Clean cleans up given path and returns a relative path that goes straight down.
func Clean(p string) string {
return strings.Trim(path.Clean("/"+p), "/")
}

49
internal/pathutil/pathutil_test.go Normal file
View File

@ -0,0 +1,49 @@
// Copyright 2020 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package pathutil
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestClean(t *testing.T) {
tests := []struct {
path string
expVal string
}{
{
path: "../../../readme.txt",
expVal: "readme.txt",
},
{
path: "a/../../../readme.txt",
expVal: "readme.txt",
},
{
path: "/../a/b/../c/../readme.txt",
expVal: "a/readme.txt",
},
{
path: "/a/readme.txt",
expVal: "a/readme.txt",
},
{
path: "/",
expVal: "",
},
{
path: "/a/b/c/readme.txt",
expVal: "a/b/c/readme.txt",
},
}
for _, test := range tests {
t.Run("", func(t *testing.T) {
assert.Equal(t, test.expVal, Clean(test.path))
})
}
}

7
internal/route/repo/editor.go
View File

@ -18,6 +18,7 @@ import (
"gogs.io/gogs/internal/db" "gogs.io/gogs/internal/db"
"gogs.io/gogs/internal/db/errors" "gogs.io/gogs/internal/db/errors"
"gogs.io/gogs/internal/form" "gogs.io/gogs/internal/form"
"gogs.io/gogs/internal/pathutil"
"gogs.io/gogs/internal/setting" "gogs.io/gogs/internal/setting"
"gogs.io/gogs/internal/template" "gogs.io/gogs/internal/template"
"gogs.io/gogs/internal/tool" "gogs.io/gogs/internal/tool"
@ -141,7 +142,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
branchName = f.NewBranchName branchName = f.NewBranchName
} }
f.TreePath = strings.Trim(path.Clean("/"+f.TreePath), " /") f.TreePath = pathutil.Clean(f.TreePath)
treeNames, treePaths := getParentTreeFields(f.TreePath) treeNames, treePaths := getParentTreeFields(f.TreePath)
c.Data["ParentTreePath"] = path.Dir(c.Repo.TreePath) c.Data["ParentTreePath"] = path.Dir(c.Repo.TreePath)
@ -339,6 +340,8 @@ func DeleteFile(c *context.Context) {
func DeleteFilePost(c *context.Context, f form.DeleteRepoFile) { func DeleteFilePost(c *context.Context, f form.DeleteRepoFile) {
c.PageIs("Delete") c.PageIs("Delete")
c.Data["BranchLink"] = c.Repo.RepoLink + "/src/" + c.Repo.BranchName c.Data["BranchLink"] = c.Repo.RepoLink + "/src/" + c.Repo.BranchName
c.Repo.TreePath = pathutil.Clean(c.Repo.TreePath)
c.Data["TreePath"] = c.Repo.TreePath c.Data["TreePath"] = c.Repo.TreePath
oldBranchName := c.Repo.BranchName oldBranchName := c.Repo.BranchName
@ -433,7 +436,7 @@ func UploadFilePost(c *context.Context, f form.UploadRepoFile) {
branchName = f.NewBranchName branchName = f.NewBranchName
} }
f.TreePath = strings.Trim(path.Clean("/"+f.TreePath), " /") f.TreePath = pathutil.Clean(f.TreePath)
treeNames, treePaths := getParentTreeFields(f.TreePath) treeNames, treePaths := getParentTreeFields(f.TreePath)
if len(treeNames) == 0 { if len(treeNames) == 0 {
// We must at least have one element for user to input. // We must at least have one element for user to input.