From e8ad6c1ff36b257506bcc30482e9ad02badd0566 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Thu, 18 Mar 2021 14:58:47 +0100 Subject: [PATCH] Do not convert file path to lowercase (#15023) * Do not convert file path to lowercase. * lint * Check against lowercase hostname. --- integrations/migrate_test.go | 42 ++++++++++++++++++++++++++++++ modules/migrations/migrate.go | 7 ++--- modules/migrations/migrate_test.go | 3 +++ 3 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 integrations/migrate_test.go diff --git a/integrations/migrate_test.go b/integrations/migrate_test.go new file mode 100644 index 000000000..b0395fbc3 --- /dev/null +++ b/integrations/migrate_test.go @@ -0,0 +1,42 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package integrations + +import ( + "io/ioutil" + "os" + "testing" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/migrations" + "code.gitea.io/gitea/modules/setting" + + "github.com/stretchr/testify/assert" +) + +func TestMigrateLocalPath(t *testing.T) { + assert.NoError(t, models.PrepareTestDatabase()) + + adminUser := models.AssertExistsAndLoadBean(t, &models.User{Name: "user1"}).(*models.User) + + old := setting.ImportLocalPaths + setting.ImportLocalPaths = true + + lowercasePath, err := ioutil.TempDir("", "lowercase") // may not be lowercase because TempDir creates a random directory name which may be mixedcase + assert.NoError(t, err) + defer os.RemoveAll(lowercasePath) + + err = migrations.IsMigrateURLAllowed(lowercasePath, adminUser) + assert.NoError(t, err, "case lowercase path") + + mixedcasePath, err := ioutil.TempDir("", "mIxeDCaSe") + assert.NoError(t, err) + defer os.RemoveAll(mixedcasePath) + + err = migrations.IsMigrateURLAllowed(mixedcasePath, adminUser) + assert.NoError(t, err, "case mixedcase path") + + setting.ImportLocalPaths = old +} diff --git a/modules/migrations/migrate.go b/modules/migrations/migrate.go index 619b572a3..75fee80a3 100644 --- a/modules/migrations/migrate.go +++ b/modules/migrations/migrate.go @@ -39,7 +39,7 @@ func RegisterDownloaderFactory(factory base.DownloaderFactory) { // IsMigrateURLAllowed checks if an URL is allowed to be migrated from func IsMigrateURLAllowed(remoteURL string, doer *models.User) error { // Remote address can be HTTP/HTTPS/Git URL or local path. - u, err := url.Parse(strings.ToLower(remoteURL)) + u, err := url.Parse(remoteURL) if err != nil { return &models.ErrInvalidCloneAddr{IsURLError: true} } @@ -72,12 +72,13 @@ func IsMigrateURLAllowed(remoteURL string, doer *models.User) error { return &models.ErrInvalidCloneAddr{Host: u.Host, IsProtocolInvalid: true, IsPermissionDenied: true, IsURLError: true} } + host := strings.ToLower(u.Host) if len(setting.Migrations.AllowedDomains) > 0 { - if !allowList.Match(u.Host) { + if !allowList.Match(host) { return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true} } } else { - if blockList.Match(u.Host) { + if blockList.Match(host) { return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true} } } diff --git a/modules/migrations/migrate_test.go b/modules/migrations/migrate_test.go index be119d32d..98ee2dfc4 100644 --- a/modules/migrations/migrate_test.go +++ b/modules/migrations/migrate_test.go @@ -29,6 +29,9 @@ func TestMigrateWhiteBlocklist(t *testing.T) { err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser) assert.NoError(t, err) + err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser) + assert.NoError(t, err) + setting.Migrations.AllowedDomains = []string{} setting.Migrations.BlockedDomains = []string{"github.com"} assert.NoError(t, Init())