Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetRepositoryByName shouldn't find a repository if name is empty #31708

Closed
tik-stbuehler opened this issue Jul 26, 2024 · 0 comments · Fixed by #31712
Closed

GetRepositoryByName shouldn't find a repository if name is empty #31708

tik-stbuehler opened this issue Jul 26, 2024 · 0 comments · Fixed by #31712
Labels
type/bug
Milestone
1.22.2

Comments

@tik-stbuehler
Copy link

Description

Hi,

URLs with an empty repository name before .git find "random" repositories.

Example: https://gitea.com/gitea/.git/info/refs

As far as I can tell this happends because:

  1. The "githttp"-handling will strip .git from the :reponame path parameter, i.e. ending up with an empty string:

gitea/routers/web/repo/githttp.go

Lines 59 to 107 in 4b376a0

func httpBase(ctx *context.Context) *serviceHandler {
username := ctx.PathParam(":username")
reponame := strings.TrimSuffix(ctx.PathParam(":reponame"), ".git")
if ctx.FormString("go-get") == "1" {
context.EarlyResponseForGoGetMeta(ctx)
return nil
}
var isPull, receivePack bool
service := ctx.FormString("service")
if service == "git-receive-pack" ||
strings.HasSuffix(ctx.Req.URL.Path, "git-receive-pack") {
isPull = false
receivePack = true
} else if service == "git-upload-pack" ||
strings.HasSuffix(ctx.Req.URL.Path, "git-upload-pack") {
isPull = true
} else if service == "git-upload-archive" ||
strings.HasSuffix(ctx.Req.URL.Path, "git-upload-archive") {
isPull = true
} else {
isPull = ctx.Req.Method == "GET"
}
var accessMode perm.AccessMode
if isPull {
accessMode = perm.AccessModeRead
} else {
accessMode = perm.AccessModeWrite
}
isWiki := false
unitType := unit.TypeCode
if strings.HasSuffix(reponame, ".wiki") {
isWiki = true
unitType = unit.TypeWiki
reponame = reponame[:len(reponame)-5]
}
owner := ctx.ContextUser
if !owner.IsOrganization() && !owner.IsActive {
ctx.PlainText(http.StatusForbidden, "Repository cannot be accessed. You cannot push or open issues/pull-requests.")
return nil
}
repoExist := true
repo, err := repo_model.GetRepositoryByName(ctx, owner.ID, reponame)

  1. GetRepositoryByName uses some magic "Get" method on an partially initialized object, passing an empty string as LowerName - but empty fields are likely not used in the WHERE filter string for the databse.

gitea/models/repo/repo.go

Lines 747 to 759 in 4b376a0

func GetRepositoryByName(ctx context.Context, ownerID int64, name string) (*Repository, error) {
repo := &Repository{
OwnerID: ownerID,
LowerName: strings.ToLower(name),
}
has, err := db.GetEngine(ctx).Get(repo)
if err != nil {
return nil, err
} else if !has {
return nil, ErrRepoNotExist{0, ownerID, "", name}
}
return repo, err
}

Imho the most reliable solution is for GetRepositoryByName not to find repositories with empty names.

cheers,
Stefan

Gitea Version

gitea.com doesn't say

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

gitea.com is your instance.

Database

None
@lunny lunny mentioned this issue Jul 27, 2024
Merged
@lunny lunny added this to the 1.22.2 milestone Jul 27, 2024
@lunny lunny closed this as completed in d109923 Jul 29, 2024
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Jul 29, 2024
@lunny @GiteaBot
Make GetRepositoryByName more safer (go-gitea#31712)
b130081 
Fix go-gitea#31708
@GiteaBot GiteaBot mentioned this issue Jul 29, 2024
Merged
lunny added a commit that referenced this issue Jul 29, 2024
@GiteaBot @lunny
Make GetRepositoryByName more safer (#31712) (#31718)
7e9a895 
Backport #31712 by @lunny

Fix #31708

Co-authored-by: Lunny Xiao <[email protected]>
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Oct 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
1.22.2
Development

Successfully merging a pull request may close this issue.

Make GetRepositoryByName more safer lunny/gitea
2 participants
@lunny @tik-stbuehler