| Author | Jakob Wakeling <[email protected]> |
| Date | 2025-01-04 00:09:19 |
| Commit | 3c358ed2a85a9ee8a6c0e8b97710ca6f866fe8e1 |
| Parent | 44175afe9872652f92cb0700b3bc59affb2393bb |
Disallow relative paths on repository creation
Diffstat
| M | res/repo/create.html | | | 8 | ++++---- |
| M | src/goit/goit.go | | | 3 | ++- |
| M | src/repo/create.go | | | 19 | ++++++++++--------- |
3 files changed, 16 insertions, 14 deletions
diff --git a/res/repo/create.html b/res/repo/create.html index 40510d1..a807b32 100644 --- a/res/repo/create.html +++ b/res/repo/create.html @@ -17,15 +17,15 @@ <table> <tr> <td style="text-align: right;"><label for="reponame">Name</label></td> - <td><input type="text" name="reponame"></td> + <td><input type="text" name="reponame" value="{{.Name}}"></td> </tr> <tr> <td style="text-align: right; vertical-align: top;"><label for="description">Description</label></td> - <td><textarea name="description"></textarea></td> + <td><textarea name="description">{{.Description}}</textarea></td> </tr> <tr> <td style="text-align: right;"><label for="branch">Default Branch</label></td> - <td><input type="text" name="branch" placeholder="master"></td> + <td><input type="text" name="branch" placeholder="master" value="{{.DefaultBranch}}"></td> </tr> <tr> <td style="text-align: right;"><label for="visibility">Visibility</label></td> @@ -39,7 +39,7 @@ </tr> <tr> <td style="text-align: right;"><label for="url">URL</label></td> - <td><input type="text" name="url"></td> + <td><input type="text" name="url" value="{{.URL}}"></td> </tr> <!-- <tr> <td style="text-align: right;"><label for="username">Username</label></td> diff --git a/src/goit/goit.go b/src/goit/goit.go index 98e3d08..9144153 100644 --- a/src/goit/goit.go +++ b/src/goit/goit.go @@ -146,7 +146,8 @@ func IsLegal(s string) bool { } } - return true + /* Disallow relative paths. */ + return !strings.Contains(s, "../") } func Backup() error { diff --git a/src/repo/create.go b/src/repo/create.go index 96e2456..1ba8cf5 100644 --- a/src/repo/create.go +++ b/src/repo/create.go @@ -32,7 +32,7 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) { data := struct { Title, Message string Name, Description string - DefaultBranch, Url, Visibility string + DefaultBranch, URL, Visibility string IsMirror bool CsrfField template.HTML @@ -45,8 +45,8 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodPost { data.Name = r.FormValue("reponame") data.Description = r.FormValue("description") - data.DefaultBranch = util.If(r.FormValue("branch") == "", "master", r.FormValue("branch")) - data.Url = r.FormValue("url") + data.DefaultBranch = r.FormValue("branch") + data.URL = r.FormValue("url") data.Visibility = r.FormValue("visibility") data.IsMirror = r.FormValue("mirror") == "mirror" @@ -55,7 +55,7 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) { } else if slices.Contains(goit.Reserved, strings.SplitN(data.Name, "/", 2)[0]) || !goit.IsLegal(data.Name) { data.Message = "Name \"" + data.Name + "\" is illegal" } else if exists, err := goit.RepoExists(data.Name); err != nil { - log.Println("[/repo/create]", err.Error()) + util.PrintFuncError(err) goit.HttpError(w, http.StatusInternalServerError) return } else if exists { @@ -65,14 +65,15 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) { } else if visibility := goit.VisibilityFromString(data.Visibility); visibility == -1 { data.Message = "Visibility \"" + data.Visibility + "\" is invalid" } else if rid, err := goit.CreateRepo(goit.Repo{ - OwnerId: user.Id, Name: data.Name, Description: data.Description, DefaultBranch: data.DefaultBranch, - Upstream: data.Url, Visibility: visibility, IsMirror: data.IsMirror, + OwnerId: user.Id, Name: data.Name, Description: data.Description, + DefaultBranch: util.If(data.DefaultBranch == "", "master", data.DefaultBranch), Upstream: data.URL, + Visibility: visibility, IsMirror: data.IsMirror, }); err != nil { - log.Println("[/repo/create]", err.Error()) + util.PrintFuncError(err) goit.HttpError(w, http.StatusInternalServerError) return } else { - if data.Url != "" { + if data.URL != "" { goit.Cron.Add(rid, cron.Immediate, func() { if err := goit.Pull(rid); err != nil { log.Println("[cron:import]", err.Error()) @@ -99,6 +100,6 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) { } if err := goit.Tmpl.ExecuteTemplate(w, "repo/create", data); err != nil { - log.Println("[/repo/create]", err.Error()) + util.PrintFuncError(err) } }