Skip to content

Commit 0cd48d2

Browse files
unknwondna2github
unknwon
authored and
dna2github
committed
repo_editor: prohibit move files to to .git directory (gogs#6986)
1 parent 2d986aa commit 0cd48d2

File tree

2 files changed

+12
-3
lines changed

2 files changed

+12
-3
lines changed

CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ All notable changes to Gogs are documented in this file.
2222

2323
### Fixed
2424

25+
- _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953)
26+
- _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968)
27+
- _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555)
2528
- Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
2629

2730
### Removed

internal/db/repo_editor.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,11 @@ type UpdateRepoFileOptions struct {
121121

122122
// UpdateRepoFile adds or updates a file in repository.
123123
func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (err error) {
124+
// 🚨 SECURITY: Prevent uploading files into the ".git" directory
125+
if isRepositoryGitPath(opts.NewTreeName) {
126+
return errors.Errorf("bad tree path %q", opts.NewTreeName)
127+
}
128+
124129
repoWorkingPool.CheckIn(com.ToStr(repo.ID))
125130
defer repoWorkingPool.CheckOut(com.ToStr(repo.ID))
126131

@@ -458,7 +463,8 @@ type UploadRepoFileOptions struct {
458463
Files []string // In UUID format
459464
}
460465

461-
// isRepositoryGitPath returns true if given path is or resides inside ".git" path of the repository.
466+
// isRepositoryGitPath returns true if given path is or resides inside ".git"
467+
// path of the repository.
462468
func isRepositoryGitPath(path string) bool {
463469
return strings.HasSuffix(path, ".git") ||
464470
strings.Contains(path, ".git"+string(os.PathSeparator)) ||
@@ -472,7 +478,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
472478
return nil
473479
}
474480

475-
// Prevent uploading files into the ".git" directory
481+
// 🚨 SECURITY: Prevent uploading files into the ".git" directory
476482
if isRepositoryGitPath(opts.TreePath) {
477483
return errors.Errorf("bad tree path %q", opts.TreePath)
478484
}
@@ -512,7 +518,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
512518

513519
upload.Name = pathutil.Clean(upload.Name)
514520

515-
// Prevent uploading files into the ".git" directory
521+
// 🚨 SECURITY: Prevent uploading files into the ".git" directory
516522
if isRepositoryGitPath(upload.Name) {
517523
continue
518524
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy