fix

wxiaoguang · wxiaoguang · commit 16d228b4dec9 · 2025-11-11T22:12:58.000+08:00
diff --git a/modules/actions/workflows.go b/modules/actions/workflows.go
@@ -5,14 +5,14 @@ package actions
 
 import (
 	"bytes"
-	"io"
 	"slices"
 	"strings"
 
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/glob"
 	"code.gitea.io/gitea/modules/log"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 
 	"github.com/nektos/act/pkg/jobparser"
@@ -77,7 +77,7 @@ func GetContentFromEntry(entry *git.TreeEntry) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	content, err := io.ReadAll(f)
+	content, err := util.ReadWithLimit(f, 1024*1024)
 	_ = f.Close()
 	if err != nil {
 		return nil, err
diff --git a/modules/issue/template/unmarshal.go b/modules/issue/template/unmarshal.go
@@ -5,7 +5,6 @@ package template
 
 import (
 	"fmt"
-	"io"
 	"path"
 	"strconv"
 
@@ -76,7 +75,7 @@ func unmarshalFromEntry(entry *git.TreeEntry, filename string) (*api.IssueTempla
 	}
 	defer r.Close()
 
-	content, err := io.ReadAll(r)
+	content, err := util.ReadWithLimit(r, 1024*1024)
 	if err != nil {
 		return nil, fmt.Errorf("read all: %w", err)
 	}
diff --git a/modules/packages/nuget/metadata.go b/modules/packages/nuget/metadata.go
@@ -216,7 +216,7 @@ func ParseNuspecMetaData(archive *zip.Reader, r io.Reader) (*Package, error) {
 	if p.Metadata.Readme != "" {
 		f, err := archive.Open(p.Metadata.Readme)
 		if err == nil {
-			buf, _ := io.ReadAll(f)
+			buf, _ := util.ReadWithLimit(f, 1024*1024)
 			m.Readme = string(buf)
 			_ = f.Close()
 		}
diff --git a/modules/packages/pub/metadata.go b/modules/packages/pub/metadata.go
@@ -89,7 +89,7 @@ func ParsePackage(r io.Reader) (*Package, error) {
 				return nil, err
 			}
 		} else if strings.EqualFold(hd.Name, "readme.md") {
-			data, err := io.ReadAll(tr)
+			data, err := util.ReadWithLimit(tr, 1024*1024)
 			if err != nil {
 				return nil, err
 			}
diff --git a/modules/util/io.go b/modules/util/io.go
@@ -29,7 +29,7 @@ func ReadAtMost(r io.Reader, buf []byte) (n int, err error) {
 // ReadWithLimit reads at most "limit" bytes from r into buf.
 // If EOF or ErrUnexpectedEOF occurs while reading, err will be nil.
 func ReadWithLimit(r io.Reader, n int) (buf []byte, err error) {
-	return readWithLimit(r, 1024, n)
+	return readWithLimit(r, 4*1024, n)
 }
 
 func readWithLimit(r io.Reader, batch, limit int) ([]byte, error) {
diff --git a/routers/web/repo/wiki.go b/routers/web/repo/wiki.go
@@ -133,7 +133,7 @@ func wikiContentsByEntry(ctx *context.Context, entry *git.TreeEntry) []byte {
 		return nil
 	}
 	defer reader.Close()
-	content, err := io.ReadAll(reader)
+	content, err := util.ReadWithLimit(reader, 100*1024*1024) // can a wiki page be larger than 100MB?
 	if err != nil {
 		ctx.ServerError("ReadAll", err)
 		return nil
diff --git a/services/issue/template.go b/services/issue/template.go
@@ -5,7 +5,6 @@ package issue
 
 import (
 	"fmt"
-	"io"
 	"net/url"
 	"path"
 	"strings"
@@ -15,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/issue/template"
 	"code.gitea.io/gitea/modules/log"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 
 	"gopkg.in/yaml.v3"
 )
@@ -65,7 +65,7 @@ func GetTemplateConfig(gitRepo *git.Repository, path string, commit *git.Commit)
 
 	defer reader.Close()
 
-	configContent, err := io.ReadAll(reader)
+	configContent, err := util.ReadWithLimit(reader, 1024*1024)
 	if err != nil {
 		return GetDefaultTemplateConfig(), err
 	}
diff --git a/services/repository/generate.go b/services/repository/generate.go
@@ -140,13 +140,16 @@ func (gt *giteaTemplateFileMatcher) Match(s string) bool {
 
 func readGiteaTemplateFile(tmpDir string) (*giteaTemplateFileMatcher, error) {
 	localPath := filepath.Join(tmpDir, ".gitea", "template")
-	if _, err := os.Stat(localPath); os.IsNotExist(err) {
+	if ok, _ := util.IsRegularFile(localPath); !ok {
 		return nil, nil
-	} else if err != nil {
-		return nil, err
 	}
 
-	content, err := os.ReadFile(localPath)
+	f, err := os.Open(localPath)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	content, err := util.ReadWithLimit(f, 1024*1024)
 	if err != nil {
 		return nil, err
 	}
diff --git a/services/webhook/deliver.go b/services/webhook/deliver.go
@@ -30,6 +30,7 @@ import (
 	"code.gitea.io/gitea/modules/queue"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 )
 
@@ -264,7 +265,7 @@ func Deliver(ctx context.Context, t *webhook_model.HookTask) error {
 		t.ResponseInfo.Headers[k] = strings.Join(vals, ",")
 	}
 
-	p, err := io.ReadAll(resp.Body)
+	p, err := util.ReadWithLimit(resp.Body, 1024*1024)
 	if err != nil {
 		t.ResponseInfo.Body = fmt.Sprintf("read body: %s", err)
 		return fmt.Errorf("unable to deliver webhook task[%d] in %s as unable to read response body: %w", t.ID, w.URL, err)

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@ package template`
`5`	`5`
`6`	`6`	`import (`
`7`	`7`	`"fmt"`
`8`		`- "io"`
`9`	`8`	`"path"`
`10`	`9`	`"strconv"`
`11`	`10`
`@@ -76,7 +75,7 @@ func unmarshalFromEntry(entry git.TreeEntry, filename string) (api.IssueTempla`
`76`	`75`	`}`
`77`	`76`	`defer r.Close()`
`78`	`77`
`79`		`- content, err := io.ReadAll(r)`
	`78`	`+ content, err := util.ReadWithLimit(r, 1024*1024)`
`80`	`79`	`if err != nil {`
`81`	`80`	`return nil, fmt.Errorf("read all: %w", err)`
`82`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,7 @@ func ParseNuspecMetaData(archive zip.Reader, r io.Reader) (Package, error) {`
`216`	`216`	`if p.Metadata.Readme != "" {`
`217`	`217`	`f, err := archive.Open(p.Metadata.Readme)`
`218`	`218`	`if err == nil {`
`219`		`- buf, _ := io.ReadAll(f)`
	`219`	`+ buf, _ := util.ReadWithLimit(f, 1024*1024)`
`220`	`220`	`m.Readme = string(buf)`
`221`	`221`	`_ = f.Close()`
`222`	`222`	`}`
Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ func ParsePackage(r io.Reader) (*Package, error) {`
`89`	`89`	`return nil, err`
`90`	`90`	`}`
`91`	`91`	`} else if strings.EqualFold(hd.Name, "readme.md") {`
`92`		`- data, err := io.ReadAll(tr)`
	`92`	`+ data, err := util.ReadWithLimit(tr, 1024*1024)`
`93`	`93`	`if err != nil {`
`94`	`94`	`return nil, err`
`95`	`95`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func ReadAtMost(r io.Reader, buf []byte) (n int, err error) {`
`29`	`29`	`// ReadWithLimit reads at most "limit" bytes from r into buf.`
`30`	`30`	`// If EOF or ErrUnexpectedEOF occurs while reading, err will be nil.`
`31`	`31`	`func ReadWithLimit(r io.Reader, n int) (buf []byte, err error) {`
`32`		`- return readWithLimit(r, 1024, n)`
	`32`	`+ return readWithLimit(r, 4*1024, n)`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`func readWithLimit(r io.Reader, batch, limit int) ([]byte, error) {`
Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,7 @@ func wikiContentsByEntry(ctx context.Context, entry git.TreeEntry) []byte {`
`133`	`133`	`return nil`
`134`	`134`	`}`
`135`	`135`	`defer reader.Close()`
`136`		`- content, err := io.ReadAll(reader)`
	`136`	`+ content, err := util.ReadWithLimit(reader, 10010241024) // can a wiki page be larger than 100MB?`
`137`	`137`	`if err != nil {`
`138`	`138`	`ctx.ServerError("ReadAll", err)`
`139`	`139`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ import (`
`30`	`30`	`"code.gitea.io/gitea/modules/queue"`
`31`	`31`	`"code.gitea.io/gitea/modules/setting"`
`32`	`32`	`"code.gitea.io/gitea/modules/timeutil"`
	`33`	`+ "code.gitea.io/gitea/modules/util"`
`33`	`34`	`webhook_module "code.gitea.io/gitea/modules/webhook"`
`34`	`35`	`)`
`35`	`36`
`@@ -264,7 +265,7 @@ func Deliver(ctx context.Context, t *webhook_model.HookTask) error {`
`264`	`265`	`t.ResponseInfo.Headers[k] = strings.Join(vals, ",")`
`265`	`266`	`}`
`266`	`267`
`267`		`- p, err := io.ReadAll(resp.Body)`
	`268`	`+ p, err := util.ReadWithLimit(resp.Body, 1024*1024)`
`268`	`269`	`if err != nil {`
`269`	`270`	`t.ResponseInfo.Body = fmt.Sprintf("read body: %s", err)`
`270`	`271`	`return fmt.Errorf("unable to deliver webhook task[%d] in %s as unable to read response body: %w", t.ID, w.URL, err)`