mirrors/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-10-16 21:56:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Address some CodeQL security concerns (#35572)

Browse Source 
Although there is no real security problem
This commit is contained in:
wxiaoguang
2025-10-04 01:21:26 +08:00
committed by GitHub
parent c4532101a4
commit 71360a94cb
35 changed files with 118 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
routers/web/repo/githttp.go
View File

@@ -376,7 +376,7 @@ func (h *serviceHandler) sendFile(ctx *context.Context, contentType, file string
ctx.Resp.WriteHeader(http.StatusBadRequest)
return
}
reqFile := filepath.Join(h.getRepoDir(), file)
reqFile := filepath.Join(h.getRepoDir(), filepath.Clean(file))
fi, err := os.Stat(reqFile)
if os.IsNotExist(err) {
@@ -395,13 +395,12 @@ func (h *serviceHandler) sendFile(ctx *context.Context, contentType, file string
var safeGitProtocolHeader = regexp.MustCompile(`^[0-9a-zA-Z]+=[0-9a-zA-Z]+(:[0-9a-zA-Z]+=[0-9a-zA-Z]+)*$`)
func prepareGitCmdWithAllowedService(service string) (*gitcmd.Command, error) {
if service == "receive-pack" {
return gitcmd.NewCommand("receive-pack"), nil
if service == ServiceTypeReceivePack {
return gitcmd.NewCommand(ServiceTypeReceivePack), nil
}
if service == "upload-pack" {
return gitcmd.NewCommand("upload-pack"), nil
if service == ServiceTypeUploadPack {
return gitcmd.NewCommand(ServiceTypeUploadPack), nil
}
return nil, fmt.Errorf("service %q is not allowed", service)
}
@@ -464,11 +463,16 @@ func serviceRPC(ctx *context.Context, h *serviceHandler, service string) {
}
}
const (
ServiceTypeUploadPack = "upload-pack"
ServiceTypeReceivePack = "receive-pack"
)
// ServiceUploadPack implements Git Smart HTTP protocol
func ServiceUploadPack(ctx *context.Context) {
h := httpBase(ctx)
if h != nil {
serviceRPC(ctx, h, "upload-pack")
serviceRPC(ctx, h, ServiceTypeUploadPack)
}
}
@@ -476,16 +480,18 @@ func ServiceUploadPack(ctx *context.Context) {
func ServiceReceivePack(ctx *context.Context) {
h := httpBase(ctx)
if h != nil {
serviceRPC(ctx, h, "receive-pack")
serviceRPC(ctx, h, ServiceTypeReceivePack)
}
}
func getServiceType(ctx *context.Context) string {
serviceType := ctx.Req.FormValue("service")
if !strings.HasPrefix(serviceType, "git-") {
return ""
switch ctx.Req.FormValue("service") {
case "git-" + ServiceTypeUploadPack:
return ServiceTypeUploadPack
case "git-" + ServiceTypeReceivePack:
return ServiceTypeReceivePack
}
return strings.TrimPrefix(serviceType, "git-")
return ""
}
func updateServerInfo(ctx gocontext.Context, dir string) []byte {