Fix push-create SSH bugs (#10145) (#10151)

* Attempt to fix push-create SSH bugs Signed-off-by: jolheiser <john.olheiser@gmail.com> * Fix binding Signed-off-by: jolheiser <john.olheiser@gmail.com> * Invalid ctx Signed-off-by: jolheiser <john.olheiser@gmail.com>
go-gitea · Feb 5, 2020 · 2cd2614 · 2cd2614
1 parent 0129e76
commit 2cd2614
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/cmd/serv.go b/cmd/serv.go
@@ -12,6 +12,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -72,6 +73,7 @@ var (
 		"git-receive-pack":   models.AccessModeWrite,
 		lfsAuthenticateVerb:  models.AccessModeNone,
 	}
+	alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)
 )
 
 func fail(userMessage, logMessage string, args ...interface{}) {
@@ -147,6 +149,10 @@ func runServ(c *cli.Context) error {
 	username := strings.ToLower(rr[0])
 	reponame := strings.ToLower(strings.TrimSuffix(rr[1], ".git"))
 
+	if alphaDashDotPattern.MatchString(reponame) {
+		fail("Invalid repo name", "Invalid repo name: %s", reponame)
+	}
+
 	if setting.EnablePprof || c.Bool("enable-pprof") {
 		if err := os.MkdirAll(setting.PprofDataPath, os.ModePerm); err != nil {
 			fail("Error while trying to create PPROF_DATA_PATH", "Error while trying to create PPROF_DATA_PATH: %v", err)

diff --git a/integrations/git_test.go b/integrations/git_test.go
@@ -422,6 +422,9 @@ func doPushCreate(ctx APITestContext, u *url.URL) func(t *testing.T) {
 		tmpDir, err := ioutil.TempDir("", ctx.Reponame)
 		assert.NoError(t, err)
 
+		_, err = git.NewCommand("clone", u.String()).RunInDir(tmpDir)
+		assert.Error(t, err)
+
 		err = git.InitRepository(tmpDir, false)
 		assert.NoError(t, err)
 
@@ -449,13 +452,26 @@ func doPushCreate(ctx APITestContext, u *url.URL) func(t *testing.T) {
 		_, err = git.NewCommand("remote", "add", "origin", u.String()).RunInDir(tmpDir)
 		assert.NoError(t, err)
 
+		invalidCtx := ctx
+		invalidCtx.Reponame = fmt.Sprintf("invalid/repo-tmp-push-create-%s", u.Scheme)
+		u.Path = invalidCtx.GitPath()
+
+		_, err = git.NewCommand("remote", "add", "invalid", u.String()).RunInDir(tmpDir)
+		assert.NoError(t, err)
+
 		// Push to create disabled
 		setting.Repository.EnablePushCreateUser = false
 		_, err = git.NewCommand("push", "origin", "master").RunInDir(tmpDir)
 		assert.Error(t, err)
 
 		// Push to create enabled
 		setting.Repository.EnablePushCreateUser = true
+
+		// Invalid repo
+		_, err = git.NewCommand("push", "invalid", "master").RunInDir(tmpDir)
+		assert.Error(t, err)
+
+		// Valid repo
 		_, err = git.NewCommand("push", "origin", "master").RunInDir(tmpDir)
 		assert.NoError(t, err)
 

diff --git a/routers/private/serv.go b/routers/private/serv.go
@@ -68,7 +68,6 @@ func ServNoCommand(ctx *macaron.Context) {
 
 // ServCommand returns information about the provided keyid
 func ServCommand(ctx *macaron.Context) {
-	// Although we provide the verbs we don't need them at present they're just for logging purposes
 	keyID := ctx.ParamsInt64(":keyid")
 	ownerName := ctx.Params(":owner")
 	repoName := ctx.Params(":repo")
@@ -105,6 +104,17 @@ func ServCommand(ctx *macaron.Context) {
 	if err != nil {
 		if models.IsErrRepoNotExist(err) {
 			repoExist = false
+			for _, verb := range ctx.QueryStrings("verb") {
+				if "git-upload-pack" == verb {
+					// User is fetching/cloning a non-existent repository
+					ctx.JSON(http.StatusNotFound, map[string]interface{}{
+						"results": results,
+						"type":    "ErrRepoNotExist",
+						"err":     fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName),
+					})
+					return
+				}
+			}
 		} else {
 			log.Error("Unable to get repository: %s/%s Error: %v", results.OwnerName, results.RepoName, err)
 			ctx.JSON(http.StatusInternalServerError, map[string]interface{}{