From 15cdb19d7732080732867c5b5f5b23a98b7b796b Mon Sep 17 00:00:00 2001 From: Lauris BH Date: Tue, 1 May 2018 12:10:50 +0300 Subject: [PATCH] Fix path cleanup in multiple places (#3871) (#3873) --- models/repo.go | 2 +- modules/lfs/server.go | 18 ++++++++++++++---- routers/repo/editor.go | 4 ++-- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/models/repo.go b/models/repo.go index ba5b7b36a..cf8aff110 100644 --- a/models/repo.go +++ b/models/repo.go @@ -1131,7 +1131,7 @@ type CreateRepoOptions struct { } func getRepoInitFile(tp, name string) ([]byte, error) { - cleanedName := strings.TrimLeft(name, "./") + cleanedName := strings.TrimLeft(path.Clean("/"+name), "/") relPath := path.Join("options", tp, cleanedName) // Use custom file when available. diff --git a/modules/lfs/server.go b/modules/lfs/server.go index a81d8e5c9..dc1279177 100644 --- a/modules/lfs/server.go +++ b/modules/lfs/server.go @@ -83,6 +83,8 @@ type link struct { ExpiresAt time.Time `json:"expires_at,omitempty"` } +var oidRegExp = regexp.MustCompile(`^[A-Fa-f0-9]+$`) + // ObjectOidHandler is the main request routing entry point into LFS server functions func ObjectOidHandler(ctx *context.Context) { @@ -217,6 +219,12 @@ func PostHandler(ctx *context.Context) { if !authenticate(ctx, repository, rv.Authorization, true) { requireAuth(ctx) + return + } + + if !oidRegExp.MatchString(rv.Oid) { + writeStatus(ctx, 404) + return } meta, err := models.NewLFSMetaObject(&models.LFSMetaObject{Oid: rv.Oid, Size: rv.Size, RepositoryID: repository.ID}) @@ -284,10 +292,12 @@ func BatchHandler(ctx *context.Context) { continue } - // Object is not found - meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID}) - if err == nil { - responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta))) + if oidRegExp.MatchString(object.Oid) { + // Object is not found + meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID}) + if err == nil { + responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta))) + } } } diff --git a/routers/repo/editor.go b/routers/repo/editor.go index 6c6bf304f..d36bcc4c3 100644 --- a/routers/repo/editor.go +++ b/routers/repo/editor.go @@ -163,7 +163,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo branchName = form.NewBranchName } - form.TreePath = strings.Trim(form.TreePath, " /") + form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /") treeNames, treePaths := getParentTreeFields(form.TreePath) ctx.Data["TreePath"] = form.TreePath @@ -477,7 +477,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) { branchName = form.NewBranchName } - form.TreePath = strings.Trim(form.TreePath, " /") + form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /") treeNames, treePaths := getParentTreeFields(form.TreePath) if len(treeNames) == 0 { // We must at least have one element for user to input.