Fix path cleanup in multiple places (#3871)

This commit is contained in:
Lauris BH 2018-05-01 04:46:04 +03:00 committed by Bo-Yi Wu
parent fff022ef8a
commit 181b3a8f09
3 changed files with 17 additions and 7 deletions

View file

@ -1133,7 +1133,7 @@ type CreateRepoOptions struct {
} }
func getRepoInitFile(tp, name string) ([]byte, error) { func getRepoInitFile(tp, name string) ([]byte, error) {
cleanedName := strings.TrimLeft(name, "./") cleanedName := strings.TrimLeft(path.Clean("/"+name), "/")
relPath := path.Join("options", tp, cleanedName) relPath := path.Join("options", tp, cleanedName)
// Use custom file when available. // Use custom file when available.

View file

@ -83,6 +83,8 @@ type link struct {
ExpiresAt time.Time `json:"expires_at,omitempty"` ExpiresAt time.Time `json:"expires_at,omitempty"`
} }
var oidRegExp = regexp.MustCompile(`^[A-Fa-f0-9]+$`)
// ObjectOidHandler is the main request routing entry point into LFS server functions // ObjectOidHandler is the main request routing entry point into LFS server functions
func ObjectOidHandler(ctx *context.Context) { func ObjectOidHandler(ctx *context.Context) {
@ -217,6 +219,12 @@ func PostHandler(ctx *context.Context) {
if !authenticate(ctx, repository, rv.Authorization, true) { if !authenticate(ctx, repository, rv.Authorization, true) {
requireAuth(ctx) requireAuth(ctx)
return
}
if !oidRegExp.MatchString(rv.Oid) {
writeStatus(ctx, 404)
return
} }
meta, err := models.NewLFSMetaObject(&models.LFSMetaObject{Oid: rv.Oid, Size: rv.Size, RepositoryID: repository.ID}) meta, err := models.NewLFSMetaObject(&models.LFSMetaObject{Oid: rv.Oid, Size: rv.Size, RepositoryID: repository.ID})
@ -284,10 +292,12 @@ func BatchHandler(ctx *context.Context) {
continue continue
} }
// Object is not found if oidRegExp.MatchString(object.Oid) {
meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID}) // Object is not found
if err == nil { meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID})
responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta))) if err == nil {
responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta)))
}
} }
} }

View file

@ -163,7 +163,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
branchName = form.NewBranchName branchName = form.NewBranchName
} }
form.TreePath = strings.Trim(form.TreePath, " /") form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
treeNames, treePaths := getParentTreeFields(form.TreePath) treeNames, treePaths := getParentTreeFields(form.TreePath)
ctx.Data["TreePath"] = form.TreePath ctx.Data["TreePath"] = form.TreePath
@ -477,7 +477,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
branchName = form.NewBranchName branchName = form.NewBranchName
} }
form.TreePath = strings.Trim(form.TreePath, " /") form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
treeNames, treePaths := getParentTreeFields(form.TreePath) treeNames, treePaths := getParentTreeFields(form.TreePath)
if len(treeNames) == 0 { if len(treeNames) == 0 {
// We must at least have one element for user to input. // We must at least have one element for user to input.