From 240258a3e5de1330a91f80f4b8cad0cbe9efd862 Mon Sep 17 00:00:00 2001
From: Vasil Mikhalenya <bazilek@gmail.com>
Date: Sat, 4 Apr 2020 19:29:58 +0300
Subject: [PATCH] Avoiding directory execution on hook (#10954) (#10955)

* test -x is not enough https://stackoverflow.com/a/39489087
---
 .../user2/repo20.git/hooks/post-receive                     | 2 +-
 .../user2/repo20.git/hooks/pre-receive                      | 2 +-
 .../gitea-repositories-meta/user2/repo20.git/hooks/update   | 2 +-
 .../user27/template1.git/hooks/post-receive                 | 2 +-
 .../user27/template1.git/hooks/pre-receive                  | 2 +-
 .../user27/template1.git/hooks/update                       | 2 +-
 modules/repository/hooks.go                                 | 6 +++---
 7 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/integrations/gitea-repositories-meta/user2/repo20.git/hooks/post-receive b/integrations/gitea-repositories-meta/user2/repo20.git/hooks/post-receive
index 1733c16a3..f1f2709dd 100755
--- a/integrations/gitea-repositories-meta/user2/repo20.git/hooks/post-receive
+++ b/integrations/gitea-repositories-meta/user2/repo20.git/hooks/post-receive
@@ -5,7 +5,7 @@ hookname=$(basename $0)
 GIT_DIR=${GIT_DIR:-$(dirname $0)}
 
 for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
-test -x "${hook}" || continue
+test -x "${hook}" && test -f "${hook}" || continue
 echo "${data}" | "${hook}"
 exitcodes="${exitcodes} $?"
 done
diff --git a/integrations/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive b/integrations/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive
index 1733c16a3..f1f2709dd 100755
--- a/integrations/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive
+++ b/integrations/gitea-repositories-meta/user2/repo20.git/hooks/pre-receive
@@ -5,7 +5,7 @@ hookname=$(basename $0)
 GIT_DIR=${GIT_DIR:-$(dirname $0)}
 
 for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
-test -x "${hook}" || continue
+test -x "${hook}" && test -f "${hook}" || continue
 echo "${data}" | "${hook}"
 exitcodes="${exitcodes} $?"
 done
diff --git a/integrations/gitea-repositories-meta/user2/repo20.git/hooks/update b/integrations/gitea-repositories-meta/user2/repo20.git/hooks/update
index 2918ffb7e..df5bd27f1 100755
--- a/integrations/gitea-repositories-meta/user2/repo20.git/hooks/update
+++ b/integrations/gitea-repositories-meta/user2/repo20.git/hooks/update
@@ -4,7 +4,7 @@ hookname=$(basename $0)
 GIT_DIR=${GIT_DIR:-$(dirname $0)}
 
 for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
-test -x "${hook}" || continue
+test -x "${hook}" && test -f "${hook}" || continue
 "${hook}" $1 $2 $3
 exitcodes="${exitcodes} $?"
 done
diff --git a/integrations/gitea-repositories-meta/user27/template1.git/hooks/post-receive b/integrations/gitea-repositories-meta/user27/template1.git/hooks/post-receive
index 1733c16a3..f1f2709dd 100644
--- a/integrations/gitea-repositories-meta/user27/template1.git/hooks/post-receive
+++ b/integrations/gitea-repositories-meta/user27/template1.git/hooks/post-receive
@@ -5,7 +5,7 @@ hookname=$(basename $0)
 GIT_DIR=${GIT_DIR:-$(dirname $0)}
 
 for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
-test -x "${hook}" || continue
+test -x "${hook}" && test -f "${hook}" || continue
 echo "${data}" | "${hook}"
 exitcodes="${exitcodes} $?"
 done
diff --git a/integrations/gitea-repositories-meta/user27/template1.git/hooks/pre-receive b/integrations/gitea-repositories-meta/user27/template1.git/hooks/pre-receive
index 1733c16a3..f1f2709dd 100644
--- a/integrations/gitea-repositories-meta/user27/template1.git/hooks/pre-receive
+++ b/integrations/gitea-repositories-meta/user27/template1.git/hooks/pre-receive
@@ -5,7 +5,7 @@ hookname=$(basename $0)
 GIT_DIR=${GIT_DIR:-$(dirname $0)}
 
 for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
-test -x "${hook}" || continue
+test -x "${hook}" && test -f "${hook}" || continue
 echo "${data}" | "${hook}"
 exitcodes="${exitcodes} $?"
 done
diff --git a/integrations/gitea-repositories-meta/user27/template1.git/hooks/update b/integrations/gitea-repositories-meta/user27/template1.git/hooks/update
index 2918ffb7e..df5bd27f1 100644
--- a/integrations/gitea-repositories-meta/user27/template1.git/hooks/update
+++ b/integrations/gitea-repositories-meta/user27/template1.git/hooks/update
@@ -4,7 +4,7 @@ hookname=$(basename $0)
 GIT_DIR=${GIT_DIR:-$(dirname $0)}
 
 for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
-test -x "${hook}" || continue
+test -x "${hook}" && test -f "${hook}" || continue
 "${hook}" $1 $2 $3
 exitcodes="${exitcodes} $?"
 done
diff --git a/modules/repository/hooks.go b/modules/repository/hooks.go
index 60e341857..404c89771 100644
--- a/modules/repository/hooks.go
+++ b/modules/repository/hooks.go
@@ -29,9 +29,9 @@ func createDelegateHooks(repoPath string) (err error) {
 	var (
 		hookNames = []string{"pre-receive", "update", "post-receive"}
 		hookTpls  = []string{
-			fmt.Sprintf("#!/usr/bin/env %s\ndata=$(cat)\nexitcodes=\"\"\nhookname=$(basename $0)\nGIT_DIR=${GIT_DIR:-$(dirname $0)}\n\nfor hook in ${GIT_DIR}/hooks/${hookname}.d/*; do\ntest -x \"${hook}\" || continue\necho \"${data}\" | \"${hook}\"\nexitcodes=\"${exitcodes} $?\"\ndone\n\nfor i in ${exitcodes}; do\n[ ${i} -eq 0 ] || exit ${i}\ndone\n", setting.ScriptType),
-			fmt.Sprintf("#!/usr/bin/env %s\nexitcodes=\"\"\nhookname=$(basename $0)\nGIT_DIR=${GIT_DIR:-$(dirname $0)}\n\nfor hook in ${GIT_DIR}/hooks/${hookname}.d/*; do\ntest -x \"${hook}\" || continue\n\"${hook}\" $1 $2 $3\nexitcodes=\"${exitcodes} $?\"\ndone\n\nfor i in ${exitcodes}; do\n[ ${i} -eq 0 ] || exit ${i}\ndone\n", setting.ScriptType),
-			fmt.Sprintf("#!/usr/bin/env %s\ndata=$(cat)\nexitcodes=\"\"\nhookname=$(basename $0)\nGIT_DIR=${GIT_DIR:-$(dirname $0)}\n\nfor hook in ${GIT_DIR}/hooks/${hookname}.d/*; do\ntest -x \"${hook}\" || continue\necho \"${data}\" | \"${hook}\"\nexitcodes=\"${exitcodes} $?\"\ndone\n\nfor i in ${exitcodes}; do\n[ ${i} -eq 0 ] || exit ${i}\ndone\n", setting.ScriptType),
+			fmt.Sprintf("#!/usr/bin/env %s\ndata=$(cat)\nexitcodes=\"\"\nhookname=$(basename $0)\nGIT_DIR=${GIT_DIR:-$(dirname $0)}\n\nfor hook in ${GIT_DIR}/hooks/${hookname}.d/*; do\ntest -x \"${hook}\" && test -f \"${hook}\" || continue\necho \"${data}\" | \"${hook}\"\nexitcodes=\"${exitcodes} $?\"\ndone\n\nfor i in ${exitcodes}; do\n[ ${i} -eq 0 ] || exit ${i}\ndone\n", setting.ScriptType),
+			fmt.Sprintf("#!/usr/bin/env %s\nexitcodes=\"\"\nhookname=$(basename $0)\nGIT_DIR=${GIT_DIR:-$(dirname $0)}\n\nfor hook in ${GIT_DIR}/hooks/${hookname}.d/*; do\ntest -x \"${hook}\" && test -f \"${hook}\" || continue\n\"${hook}\" $1 $2 $3\nexitcodes=\"${exitcodes} $?\"\ndone\n\nfor i in ${exitcodes}; do\n[ ${i} -eq 0 ] || exit ${i}\ndone\n", setting.ScriptType),
+			fmt.Sprintf("#!/usr/bin/env %s\ndata=$(cat)\nexitcodes=\"\"\nhookname=$(basename $0)\nGIT_DIR=${GIT_DIR:-$(dirname $0)}\n\nfor hook in ${GIT_DIR}/hooks/${hookname}.d/*; do\ntest -x \"${hook}\" && test -f \"${hook}\" || continue\necho \"${data}\" | \"${hook}\"\nexitcodes=\"${exitcodes} $?\"\ndone\n\nfor i in ${exitcodes}; do\n[ ${i} -eq 0 ] || exit ${i}\ndone\n", setting.ScriptType),
 		}
 		giteaHookTpls = []string{
 			fmt.Sprintf("#!/usr/bin/env %s\n\"%s\" hook --config='%s' pre-receive\n", setting.ScriptType, setting.AppPath, setting.CustomConf),