Răsfoiți Sursa

repo_editor: prohibit move files to to `.git` directory (#6986)

# Conflicts:
#	CHANGELOG.md
Joe Chen 3 ani în urmă
părinte
comite
5250403d60
2 a modificat fișierele cu 9 adăugiri și 4 ștergeri
  1. 0 1
      CHANGELOG.md
  2. 9 3
      internal/db/repo_editor.go

+ 0 - 1
CHANGELOG.md

@@ -22,7 +22,6 @@ All notable changes to Gogs are documented in this file.
 
 
 ### Fixed
 ### Fixed
 
 
-- _Security:_ SSRF in webhook. [#6901](https://github.com/gogs/gogs/issues/6901)
 - _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953)
 - _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953)
 - _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968)
 - _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968)
 - _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555)
 - _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555)

+ 9 - 3
internal/db/repo_editor.go

@@ -121,6 +121,11 @@ type UpdateRepoFileOptions struct {
 
 
 // UpdateRepoFile adds or updates a file in repository.
 // UpdateRepoFile adds or updates a file in repository.
 func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (err error) {
 func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (err error) {
+	// 🚨 SECURITY: Prevent uploading files into the ".git" directory
+	if isRepositoryGitPath(opts.NewTreeName) {
+		return errors.Errorf("bad tree path %q", opts.NewTreeName)
+	}
+
 	repoWorkingPool.CheckIn(com.ToStr(repo.ID))
 	repoWorkingPool.CheckIn(com.ToStr(repo.ID))
 	defer repoWorkingPool.CheckOut(com.ToStr(repo.ID))
 	defer repoWorkingPool.CheckOut(com.ToStr(repo.ID))
 
 
@@ -446,7 +451,8 @@ type UploadRepoFileOptions struct {
 	Files        []string // In UUID format
 	Files        []string // In UUID format
 }
 }
 
 
-// isRepositoryGitPath returns true if given path is or resides inside ".git" path of the repository.
+// isRepositoryGitPath returns true if given path is or resides inside ".git"
+// path of the repository.
 func isRepositoryGitPath(path string) bool {
 func isRepositoryGitPath(path string) bool {
 	return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator))
 	return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator))
 }
 }
@@ -456,7 +462,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
 		return nil
 		return nil
 	}
 	}
 
 
-	// Prevent uploading files into the ".git" directory
+	// 🚨 SECURITY: Prevent uploading files into the ".git" directory
 	if isRepositoryGitPath(opts.TreePath) {
 	if isRepositoryGitPath(opts.TreePath) {
 		return errors.Errorf("bad tree path %q", opts.TreePath)
 		return errors.Errorf("bad tree path %q", opts.TreePath)
 	}
 	}
@@ -496,7 +502,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
 
 
 		upload.Name = pathutil.Clean(upload.Name)
 		upload.Name = pathutil.Clean(upload.Name)
 
 
-		// Prevent uploading files into the ".git" directory
+		// 🚨 SECURITY: Prevent uploading files into the ".git" directory
 		if isRepositoryGitPath(upload.Name) {
 		if isRepositoryGitPath(upload.Name) {
 			continue
 			continue
 		}
 		}