From c3977fb5581a6f4a1d8af58b29321897b7c31467 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Fri, 5 Apr 2024 22:13:44 +0000
Subject: [PATCH 1/3] Extract and display comments.

---
 modules/packages/composer/metadata.go   | 23 +++++++++++++++++++++++
 templates/package/content/composer.tmpl |  9 ++++-----
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/modules/packages/composer/metadata.go b/modules/packages/composer/metadata.go
index 1d0f02564889..dc0bea132466 100644
--- a/modules/packages/composer/metadata.go
+++ b/modules/packages/composer/metadata.go
@@ -40,6 +40,7 @@ type Package struct {
 type Metadata struct {
 	Description string            `json:"description,omitempty"`
 	Keywords    []string          `json:"keywords,omitempty"`
+	Comments    Comments          `json:"_comments,omitempty"`
 	Homepage    string            `json:"homepage,omitempty"`
 	License     Licenses          `json:"license,omitempty"`
 	Authors     []Author          `json:"authors,omitempty"`
@@ -74,6 +75,28 @@ func (l *Licenses) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+// Comments represents the comments of a Composer package
+type Comments []string
+
+// UnmarshalJSON reads from a string or array
+func (c *Comments) UnmarshalJSON(data []byte) error {
+	switch data[0] {
+	case '"':
+		var value string
+		if err := json.Unmarshal(data, &value); err != nil {
+			return err
+		}
+		*c = Comments{value}
+	case '[':
+		values := make([]string, 0, 5)
+		if err := json.Unmarshal(data, &values); err != nil {
+			return err
+		}
+		*c = Comments(values)
+	}
+	return nil
+}
+
 // Author represents an author
 type Author struct {
 	Name     string `json:"name,omitempty"`
diff --git a/templates/package/content/composer.tmpl b/templates/package/content/composer.tmpl
index c2dc6345c376..a07e7f1957b5 100644
--- a/templates/package/content/composer.tmpl
+++ b/templates/package/content/composer.tmpl
@@ -22,11 +22,10 @@
 		</div>
 	</div>
 
-	{{if .PackageDescriptor.Metadata.Description}}
+	{{if or .PackageDescriptor.Metadata.Description .PackageDescriptor.Metadata.Comments}}
 		<h4 class="ui top attached header">{{ctx.Locale.Tr "packages.about"}}</h4>
-		<div class="ui attached segment">
-			{{.PackageDescriptor.Metadata.Description}}
-		</div>
+		{{if .PackageDescriptor.Metadata.Description}}<div class="ui attached segment">{{.PackageDescriptor.Metadata.Description}}</div>{{end}}
+		{{if .PackageDescriptor.Metadata.Comments}}<div class="ui attached segment">{{StringUtils.Join .PackageDescriptor.Metadata.Comments " "}}</div>{{end}}
 	{{end}}
 
 	{{if or .PackageDescriptor.Metadata.Require .PackageDescriptor.Metadata.RequireDev}}
@@ -39,7 +38,7 @@
 		</div>
 	{{end}}
 
-	{{if or .PackageDescriptor.Metadata.Keywords}}
+	{{if .PackageDescriptor.Metadata.Keywords}}
 		<h4 class="ui top attached header">{{ctx.Locale.Tr "packages.keywords"}}</h4>
 		<div class="ui attached segment">
 			{{range .PackageDescriptor.Metadata.Keywords}}

From 2c742e320d954c4366a78ec19caa79a7983a82ac Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Thu, 9 May 2024 20:43:09 +0000
Subject: [PATCH 2/3] Extract and display readme.

---
 modules/packages/composer/metadata.go      | 19 ++++++-
 modules/packages/composer/metadata_test.go | 62 +++++++++++++++-------
 templates/package/content/composer.tmpl    |  1 +
 3 files changed, 61 insertions(+), 21 deletions(-)

diff --git a/modules/packages/composer/metadata.go b/modules/packages/composer/metadata.go
index dc0bea132466..7ed989b27743 100644
--- a/modules/packages/composer/metadata.go
+++ b/modules/packages/composer/metadata.go
@@ -36,9 +36,12 @@ type Package struct {
 	Metadata *Metadata
 }
 
+// https://getcomposer.org/doc/04-schema.md
+
 // Metadata represents the metadata of a Composer package
 type Metadata struct {
 	Description string            `json:"description,omitempty"`
+	Readme      string            `json:"readme,omitempty"`
 	Keywords    []string          `json:"keywords,omitempty"`
 	Comments    Comments          `json:"_comments,omitempty"`
 	Homepage    string            `json:"homepage,omitempty"`
@@ -124,14 +127,14 @@ func ParsePackage(r io.ReaderAt, size int64) (*Package, error) {
 			}
 			defer f.Close()
 
-			return ParseComposerFile(f)
+			return ParseComposerFile(archive, f)
 		}
 	}
 	return nil, ErrMissingComposerFile
 }
 
 // ParseComposerFile parses a composer.json file to retrieve the metadata of a Composer package
-func ParseComposerFile(r io.Reader) (*Package, error) {
+func ParseComposerFile(archive *zip.Reader, r io.Reader) (*Package, error) {
 	var cj struct {
 		Name    string `json:"name"`
 		Version string `json:"version"`
@@ -160,6 +163,18 @@ func ParseComposerFile(r io.Reader) (*Package, error) {
 		cj.Type = "library"
 	}
 
+	if cj.Readme == "" {
+		cj.Readme = "README.md"
+	}
+	f, err := archive.Open(cj.Readme)
+	if err == nil {
+		buf, _ := io.ReadAll(f)
+		cj.Readme = string(buf)
+		_ = f.Close()
+	} else {
+		cj.Readme = ""
+	}
+
 	return &Package{
 		Name:     cj.Name,
 		Version:  cj.Version,
diff --git a/modules/packages/composer/metadata_test.go b/modules/packages/composer/metadata_test.go
index a0e1a77a6ed3..a5e317daf1cd 100644
--- a/modules/packages/composer/metadata_test.go
+++ b/modules/packages/composer/metadata_test.go
@@ -17,6 +17,8 @@ import (
 const (
 	name        = "gitea/composer-package"
 	description = "Package Description"
+	readme      = "Package Readme"
+	comments    = "Package Comment"
 	packageType = "composer-plugin"
 	author      = "Gitea Authors"
 	email       = "no.reply@gitea.io"
@@ -41,7 +43,8 @@ const composerContent = `{
     },
     "require": {
         "php": ">=7.2 || ^8.0"
-    }
+    },
+    "_comments": "` + comments + `"
 }`
 
 func TestLicenseUnmarshal(t *testing.T) {
@@ -54,18 +57,30 @@ func TestLicenseUnmarshal(t *testing.T) {
 	assert.Equal(t, "MIT", l[0])
 }
 
+func TestCommentsUnmarshal(t *testing.T) {
+	var c Comments
+	assert.NoError(t, json.NewDecoder(strings.NewReader(`["comment"]`)).Decode(&c))
+	assert.Len(t, c, 1)
+	assert.Equal(t, "comment", c[0])
+	assert.NoError(t, json.NewDecoder(strings.NewReader(`"comment"`)).Decode(&c))
+	assert.Len(t, c, 1)
+	assert.Equal(t, "comment", c[0])
+}
+
 func TestParsePackage(t *testing.T) {
-	createArchive := func(name, content string) []byte {
+	createArchive := func(files map[string]string) []byte {
 		var buf bytes.Buffer
 		archive := zip.NewWriter(&buf)
-		w, _ := archive.Create(name)
-		w.Write([]byte(content))
+		for name, content := range files {
+			w, _ := archive.Create(name)
+			w.Write([]byte(content))
+		}
 		archive.Close()
 		return buf.Bytes()
 	}
 
 	t.Run("MissingComposerFile", func(t *testing.T) {
-		data := createArchive("dummy.txt", "")
+		data := createArchive(map[string]string{"dummy.txt": ""})
 
 		cp, err := ParsePackage(bytes.NewReader(data), int64(len(data)))
 		assert.Nil(t, cp)
@@ -73,7 +88,7 @@ func TestParsePackage(t *testing.T) {
 	})
 
 	t.Run("MissingComposerFileInRoot", func(t *testing.T) {
-		data := createArchive("sub/sub/composer.json", "")
+		data := createArchive(map[string]string{"sub/sub/composer.json": ""})
 
 		cp, err := ParsePackage(bytes.NewReader(data), int64(len(data)))
 		assert.Nil(t, cp)
@@ -81,43 +96,52 @@ func TestParsePackage(t *testing.T) {
 	})
 
 	t.Run("InvalidComposerFile", func(t *testing.T) {
-		data := createArchive("composer.json", "")
+		data := createArchive(map[string]string{"composer.json": ""})
 
 		cp, err := ParsePackage(bytes.NewReader(data), int64(len(data)))
 		assert.Nil(t, cp)
 		assert.Error(t, err)
 	})
 
-	t.Run("Valid", func(t *testing.T) {
-		data := createArchive("composer.json", composerContent)
+	t.Run("InvalidPackageName", func(t *testing.T) {
+		data := createArchive(map[string]string{"composer.json": "{}"})
 
 		cp, err := ParsePackage(bytes.NewReader(data), int64(len(data)))
-		assert.NoError(t, err)
-		assert.NotNil(t, cp)
-	})
-}
-
-func TestParseComposerFile(t *testing.T) {
-	t.Run("InvalidPackageName", func(t *testing.T) {
-		cp, err := ParseComposerFile(strings.NewReader(`{}`))
 		assert.Nil(t, cp)
 		assert.ErrorIs(t, err, ErrInvalidName)
 	})
 
 	t.Run("InvalidPackageVersion", func(t *testing.T) {
-		cp, err := ParseComposerFile(strings.NewReader(`{"name": "gitea/composer-package", "version": "1.a.3"}`))
+		data := createArchive(map[string]string{"composer.json": `{"name": "gitea/composer-package", "version": "1.a.3"}`})
+
+		cp, err := ParsePackage(bytes.NewReader(data), int64(len(data)))
 		assert.Nil(t, cp)
 		assert.ErrorIs(t, err, ErrInvalidVersion)
 	})
 
+	t.Run("InvalidReadmePath", func(t *testing.T) {
+		data := createArchive(map[string]string{"composer.json": `{"name": "gitea/composer-package", "readme": "sub/README.md"}`})
+
+		cp, err := ParsePackage(bytes.NewReader(data), int64(len(data)))
+		assert.NoError(t, err)
+		assert.NotNil(t, cp)
+
+		assert.Empty(t, cp.Metadata.Readme)
+	})
+
 	t.Run("Valid", func(t *testing.T) {
-		cp, err := ParseComposerFile(strings.NewReader(composerContent))
+		data := createArchive(map[string]string{"composer.json": composerContent, "README.md": readme})
+
+		cp, err := ParsePackage(bytes.NewReader(data), int64(len(data)))
 		assert.NoError(t, err)
 		assert.NotNil(t, cp)
 
 		assert.Equal(t, name, cp.Name)
 		assert.Empty(t, cp.Version)
 		assert.Equal(t, description, cp.Metadata.Description)
+		assert.Equal(t, readme, cp.Metadata.Readme)
+		assert.Len(t, cp.Metadata.Comments, 1)
+		assert.Equal(t, comments, cp.Metadata.Comments[0])
 		assert.Len(t, cp.Metadata.Authors, 1)
 		assert.Equal(t, author, cp.Metadata.Authors[0].Name)
 		assert.Equal(t, email, cp.Metadata.Authors[0].Email)
diff --git a/templates/package/content/composer.tmpl b/templates/package/content/composer.tmpl
index a07e7f1957b5..8d48e6c95d5e 100644
--- a/templates/package/content/composer.tmpl
+++ b/templates/package/content/composer.tmpl
@@ -25,6 +25,7 @@
 	{{if or .PackageDescriptor.Metadata.Description .PackageDescriptor.Metadata.Comments}}
 		<h4 class="ui top attached header">{{ctx.Locale.Tr "packages.about"}}</h4>
 		{{if .PackageDescriptor.Metadata.Description}}<div class="ui attached segment">{{.PackageDescriptor.Metadata.Description}}</div>{{end}}
+		{{if .PackageDescriptor.Metadata.Readme}}<div class="ui attached segment markup markdown">{{RenderMarkdownToHtml $.Context .PackageDescriptor.Metadata.Readme}}</div>{{end}}
 		{{if .PackageDescriptor.Metadata.Comments}}<div class="ui attached segment">{{StringUtils.Join .PackageDescriptor.Metadata.Comments " "}}</div>{{end}}
 	{{end}}
 

From 4b771c2c7d6f7548978e5f85d32f325848e29d4e Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Thu, 13 Jun 2024 13:55:16 +0000
Subject: [PATCH 3/3] Limit readme content size.

---
 modules/packages/composer/metadata.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/packages/composer/metadata.go b/modules/packages/composer/metadata.go
index ff7eb1e62d54..2c2e9ebf27c8 100644
--- a/modules/packages/composer/metadata.go
+++ b/modules/packages/composer/metadata.go
@@ -169,7 +169,8 @@ func ParseComposerFile(archive *zip.Reader, pathPrefix string, r io.Reader) (*Pa
 	}
 	f, err := archive.Open(path.Join(pathPrefix, cj.Readme))
 	if err == nil {
-		buf, _ := io.ReadAll(f)
+		// 10kb limit for readme content
+		buf, _ := io.ReadAll(io.LimitReader(f, 10*1024))
 		cj.Readme = string(buf)
 		_ = f.Close()
 	} else {