From deeb3f73e47bdbd4e6576ec97699766dcb18fa4d Mon Sep 17 00:00:00 2001
From: Joe Chen <jc@unknwon.io>
Date: Sat, 4 Jun 2022 13:11:29 +0800
Subject: [PATCH] repo_editor: check both styles of `os.PathSeparator` in all
 systems (#7005)

# Conflicts:
#	CHANGELOG.md
---
 CHANGELOG.md                    | 17 +++++++++++---
 internal/db/repo_editor.go      |  6 +++--
 internal/db/repo_editor_test.go | 41 ++++++++++++++++++++++-----------
 3 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 58ba5dd93..e09a29cce 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,9 +22,7 @@ All notable changes to Gogs are documented in this file.
 
 ### Fixed
 
-- _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953)
-- _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968)
-- _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555)
+- _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000)
 - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
 - Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967)
 - Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963)
@@ -49,6 +47,19 @@ All notable changes to Gogs are documented in this file.
 - Configuration option `[database] PASSWD` is no longer used, please use `[database] PASSWORD`.
 - Remove option to use Makefile as the build tool. [#6980](https://github.com/gogs/gogs/pull/6980)
 
+## 0.12.8
+
+### Changed
+
+- All users (including admins) need to use the configuration option `[security] LOCAL_NETWORK_ALLOWLIST` to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. [#6988](https://github.com/gogs/gogs/pull/6988)
+
+### Fixed
+
+- _Security:_ SSRF in webhook. [#6901](https://github.com/gogs/gogs/issues/6901)
+- _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953)
+- _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968)
+- _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555)
+
 ## 0.12.7
 
 ### Fixed
diff --git a/internal/db/repo_editor.go b/internal/db/repo_editor.go
index 2df7a80db..3ba47ff9e 100644
--- a/internal/db/repo_editor.go
+++ b/internal/db/repo_editor.go
@@ -455,10 +455,12 @@ type UploadRepoFileOptions struct {
 // path of the repository.
 func isRepositoryGitPath(path string) bool {
 	return strings.HasSuffix(path, ".git") ||
-		strings.Contains(path, ".git"+string(os.PathSeparator)) ||
+		strings.Contains(path, ".git/") ||
+		strings.Contains(path, `.git\`) ||
 		// Windows treats ".git." the same as ".git"
 		strings.HasSuffix(path, ".git.") ||
-		strings.Contains(path, ".git."+string(os.PathSeparator))
+		strings.Contains(path, ".git./") ||
+		strings.Contains(path, `.git.\`)
 }
 
 func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) error {
diff --git a/internal/db/repo_editor_test.go b/internal/db/repo_editor_test.go
index ea2bf7a92..6aeed011a 100644
--- a/internal/db/repo_editor_test.go
+++ b/internal/db/repo_editor_test.go
@@ -5,7 +5,6 @@
 package db
 
 import (
-	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -16,23 +15,37 @@ func Test_isRepositoryGitPath(t *testing.T) {
 		path    string
 		wantVal bool
 	}{
-		{path: filepath.Join(".", ".git"), wantVal: true},
-		{path: filepath.Join(".", ".git", ""), wantVal: true},
-		{path: filepath.Join(".", ".git", "hooks", "pre-commit"), wantVal: true},
-		{path: filepath.Join(".git", "hooks"), wantVal: true},
-		{path: filepath.Join("dir", ".git"), wantVal: true},
+		{path: ".git", wantVal: true},
+		{path: "./.git", wantVal: true},
+		{path: ".git/hooks/pre-commit", wantVal: true},
+		{path: ".git/hooks", wantVal: true},
+		{path: "dir/.git", wantVal: true},
 
-		{path: filepath.Join(".", ".git."), wantVal: true},
-		{path: filepath.Join(".", ".git.", ""), wantVal: true},
-		{path: filepath.Join(".", ".git.", "hooks", "pre-commit"), wantVal: true},
-		{path: filepath.Join(".git.", "hooks"), wantVal: true},
-		{path: filepath.Join("dir", ".git."), wantVal: true},
+		{path: ".gitignore", wantVal: false},
+		{path: "dir/.gitkeep", wantVal: false},
 
-		{path: filepath.Join(".gitignore"), wantVal: false},
-		{path: filepath.Join("dir", ".gitkeep"), wantVal: false},
+		// Windows-specific
+		{path: `.git\`, wantVal: true},
+		{path: `.git\hooks\pre-commit`, wantVal: true},
+		{path: `.git\hooks`, wantVal: true},
+		{path: `dir\.git`, wantVal: true},
+
+		{path: `.\.git.`, wantVal: true},
+		{path: `.\.git.\`, wantVal: true},
+		{path: `.git.\hooks\pre-commit`, wantVal: true},
+		{path: `.git.\hooks`, wantVal: true},
+		{path: `dir\.git.`, wantVal: true},
+
+		{path: "./.git.", wantVal: true},
+		{path: "./.git./", wantVal: true},
+		{path: ".git./hooks/pre-commit", wantVal: true},
+		{path: ".git./hooks", wantVal: true},
+		{path: "dir/.git.", wantVal: true},
+
+		{path: `dir\.gitkeep`, wantVal: false},
 	}
 	for _, test := range tests {
-		t.Run("", func(t *testing.T) {
+		t.Run(test.path, func(t *testing.T) {
 			assert.Equal(t, test.wantVal, isRepositoryGitPath(test.path))
 		})
 	}