Skip to content

Commit 9bf748b

Browse files
authored
http: clean request path from Git endpoints (#7022)
1 parent e370657 commit 9bf748b

File tree

3 files changed

+17
-5
lines changed

3 files changed

+17
-5
lines changed

Diff for: CHANGELOG.md

+1
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ All notable changes to Gogs are documented in this file.
2626
- _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000)
2727
- _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009)
2828
- _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001)
29+
- _Security:_ Path Traversal in Git HTTP endpoints. [#7002](https://github.com/gogs/gogs/issues/7002)
2930
- Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
3031
- Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967)
3132
- Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963)

Diff for: internal/pathutil/pathutil_test.go

+4
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,10 @@ func TestClean(t *testing.T) {
2727
path: "/../a/b/../c/../readme.txt",
2828
wantVal: "a/readme.txt",
2929
},
30+
{
31+
path: "../../objects/info/..",
32+
wantVal: "objects",
33+
},
3034
{
3135
path: "/a/readme.txt",
3236
wantVal: "a/readme.txt",

Diff for: internal/route/repo/http.go

+12-5
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424
"gogs.io/gogs/internal/conf"
2525
"gogs.io/gogs/internal/db"
2626
"gogs.io/gogs/internal/lazyregexp"
27+
"gogs.io/gogs/internal/pathutil"
2728
"gogs.io/gogs/internal/tool"
2829
)
2930

@@ -408,15 +409,21 @@ func HTTP(c *HTTPContext) {
408409
}
409410

410411
if route.method != c.Req.Method {
411-
c.NotFound()
412+
c.Error(http.StatusNotFound)
412413
return
413414
}
414415

415-
file := strings.TrimPrefix(reqPath, m[1]+"/")
416-
dir, err := getGitRepoPath(m[1])
416+
cleaned := pathutil.Clean(m[1])
417+
if m[1] != "/"+cleaned {
418+
c.Error(http.StatusBadRequest, "Request path contains suspicious characters")
419+
return
420+
}
421+
422+
file := strings.TrimPrefix(reqPath, cleaned)
423+
dir, err := getGitRepoPath(cleaned)
417424
if err != nil {
418425
log.Warn("HTTP.getGitRepoPath: %v", err)
419-
c.NotFound()
426+
c.Error(http.StatusNotFound)
420427
return
421428
}
422429

@@ -435,5 +442,5 @@ func HTTP(c *HTTPContext) {
435442
return
436443
}
437444

438-
c.NotFound()
445+
c.Error(http.StatusNotFound)
439446
}

0 commit comments

Comments
 (0)