cerc-io/gitea
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not convert file path to lowercase (#15023)

Browse Source 
* Do not convert file path to lowercase.

* lint

* Check against lowercase hostname.
This commit is contained in:
KN4CK3R 2021-03-18 14:58:47 +01:00 committed by GitHub
parent 032f4c3969
commit e8ad6c1ff3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 49 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
integrations/migrate_test.go Normal file
View File

@ -0,0 +1,42 @@
// Copyright 2021 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package integrations
import (
"io/ioutil"
"os"
"testing"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/migrations"
"code.gitea.io/gitea/modules/setting"
"github.com/stretchr/testify/assert"
)
func TestMigrateLocalPath(t *testing.T) {
assert.NoError(t, models.PrepareTestDatabase())
adminUser := models.AssertExistsAndLoadBean(t, &models.User{Name: "user1"}).(*models.User)
old := setting.ImportLocalPaths
setting.ImportLocalPaths = true
lowercasePath, err := ioutil.TempDir("", "lowercase") // may not be lowercase because TempDir creates a random directory name which may be mixedcase
assert.NoError(t, err)
defer os.RemoveAll(lowercasePath)
err = migrations.IsMigrateURLAllowed(lowercasePath, adminUser)
assert.NoError(t, err, "case lowercase path")
mixedcasePath, err := ioutil.TempDir("", "mIxeDCaSe")
assert.NoError(t, err)
defer os.RemoveAll(mixedcasePath)
err = migrations.IsMigrateURLAllowed(mixedcasePath, adminUser)
assert.NoError(t, err, "case mixedcase path")
setting.ImportLocalPaths = old
}

7
modules/migrations/migrate.go
View File

@ -39,7 +39,7 @@ func RegisterDownloaderFactory(factory base.DownloaderFactory) {
// IsMigrateURLAllowed checks if an URL is allowed to be migrated from // IsMigrateURLAllowed checks if an URL is allowed to be migrated from
func IsMigrateURLAllowed(remoteURL string, doer *models.User) error { func IsMigrateURLAllowed(remoteURL string, doer *models.User) error {
// Remote address can be HTTP/HTTPS/Git URL or local path. // Remote address can be HTTP/HTTPS/Git URL or local path.
u, err := url.Parse(strings.ToLower(remoteURL)) u, err := url.Parse(remoteURL)
if err != nil { if err != nil {
return &models.ErrInvalidCloneAddr{IsURLError: true} return &models.ErrInvalidCloneAddr{IsURLError: true}
} }
@ -72,12 +72,13 @@ func IsMigrateURLAllowed(remoteURL string, doer *models.User) error {
return &models.ErrInvalidCloneAddr{Host: u.Host, IsProtocolInvalid: true, IsPermissionDenied: true, IsURLError: true} return &models.ErrInvalidCloneAddr{Host: u.Host, IsProtocolInvalid: true, IsPermissionDenied: true, IsURLError: true}
} }
host := strings.ToLower(u.Host)
if len(setting.Migrations.AllowedDomains) > 0 { if len(setting.Migrations.AllowedDomains) > 0 {
if !allowList.Match(u.Host) { if !allowList.Match(host) {
return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true} return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true}
} }
} else { } else {
if blockList.Match(u.Host) { if blockList.Match(host) {
return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true} return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true}
} }
} }

3
modules/migrations/migrate_test.go
View File

@ -29,6 +29,9 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser) err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)
assert.NoError(t, err) assert.NoError(t, err)
err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)
assert.NoError(t, err)
setting.Migrations.AllowedDomains = []string{} setting.Migrations.AllowedDomains = []string{}
setting.Migrations.BlockedDomains = []string{"github.com"} setting.Migrations.BlockedDomains = []string{"github.com"}
assert.NoError(t, Init()) assert.NoError(t, Init())