From e8ad6c1ff36b257506bcc30482e9ad02badd0566 Mon Sep 17 00:00:00 2001
From: KN4CK3R <KN4CK3R@users.noreply.github.com>
Date: Thu, 18 Mar 2021 14:58:47 +0100
Subject: [PATCH] Do not convert file path to lowercase (#15023)
* Do not convert file path to lowercase.
* lint
* Check against lowercase hostname.
---
integrations/migrate_test.go | 42 ++++++++++++++++++++++++++++++
modules/migrations/migrate.go | 7 ++---
modules/migrations/migrate_test.go | 3 +++
3 files changed, 49 insertions(+), 3 deletions(-)
create mode 100644 integrations/migrate_test.go
diff --git a/integrations/migrate_test.go b/integrations/migrate_test.go
new file mode 100644
index 0000000000..b0395fbc3d
--- /dev/null
+++ b/integrations/migrate_test.go
@@ -0,0 +1,42 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+ "io/ioutil"
+ "os"
+ "testing"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/migrations"
+ "code.gitea.io/gitea/modules/setting"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestMigrateLocalPath(t *testing.T) {
+ assert.NoError(t, models.PrepareTestDatabase())
+
+ adminUser := models.AssertExistsAndLoadBean(t, &models.User{Name: "user1"}).(*models.User)
+
+ old := setting.ImportLocalPaths
+ setting.ImportLocalPaths = true
+
+ lowercasePath, err := ioutil.TempDir("", "lowercase") // may not be lowercase because TempDir creates a random directory name which may be mixedcase
+ assert.NoError(t, err)
+ defer os.RemoveAll(lowercasePath)
+
+ err = migrations.IsMigrateURLAllowed(lowercasePath, adminUser)
+ assert.NoError(t, err, "case lowercase path")
+
+ mixedcasePath, err := ioutil.TempDir("", "mIxeDCaSe")
+ assert.NoError(t, err)
+ defer os.RemoveAll(mixedcasePath)
+
+ err = migrations.IsMigrateURLAllowed(mixedcasePath, adminUser)
+ assert.NoError(t, err, "case mixedcase path")
+
+ setting.ImportLocalPaths = old
+}
diff --git a/modules/migrations/migrate.go b/modules/migrations/migrate.go
index 619b572a3f..75fee80a39 100644
--- a/modules/migrations/migrate.go
+++ b/modules/migrations/migrate.go
@@ -39,7 +39,7 @@ func RegisterDownloaderFactory(factory base.DownloaderFactory) {
// IsMigrateURLAllowed checks if an URL is allowed to be migrated from
func IsMigrateURLAllowed(remoteURL string, doer *models.User) error {
// Remote address can be HTTP/HTTPS/Git URL or local path.
- u, err := url.Parse(strings.ToLower(remoteURL))
+ u, err := url.Parse(remoteURL)
if err != nil {
return &models.ErrInvalidCloneAddr{IsURLError: true}
}
@@ -72,12 +72,13 @@ func IsMigrateURLAllowed(remoteURL string, doer *models.User) error {
return &models.ErrInvalidCloneAddr{Host: u.Host, IsProtocolInvalid: true, IsPermissionDenied: true, IsURLError: true}
}
+ host := strings.ToLower(u.Host)
if len(setting.Migrations.AllowedDomains) > 0 {
- if !allowList.Match(u.Host) {
+ if !allowList.Match(host) {
return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true}
}
} else {
- if blockList.Match(u.Host) {
+ if blockList.Match(host) {
return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true}
}
}
diff --git a/modules/migrations/migrate_test.go b/modules/migrations/migrate_test.go
index be119d32d3..98ee2dfc4a 100644
--- a/modules/migrations/migrate_test.go
+++ b/modules/migrations/migrate_test.go
@@ -29,6 +29,9 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
err = IsMigrateURLAllowed("https://github.com/go-gitea/gitea.git", nonAdminUser)
assert.NoError(t, err)
+ err = IsMigrateURLAllowed("https://gITHUb.com/go-gitea/gitea.git", nonAdminUser)
+ assert.NoError(t, err)
+
setting.Migrations.AllowedDomains = []string{}
setting.Migrations.BlockedDomains = []string{"github.com"}
assert.NoError(t, Init())