Skip to content

Commit

Permalink
Sanitize credentials in mirror form (go-gitea#9975)
Browse files Browse the repository at this point in the history
  • Loading branch information
lunny authored and zeripath committed Jan 25, 2020
1 parent 5b17bb8 commit a67c06c
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 1 deletion.
8 changes: 8 additions & 0 deletions models/repo.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,14 @@ type Repository struct {
UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
}

// SanitizedOriginalURL returns a sanitized OriginalURL
func (repo *Repository) SanitizedOriginalURL() string {
if repo.OriginalURL == "" {
return ""
}
return util.SanitizeURLCredentials(repo.OriginalURL, false)
}

// ColorFormat returns a colored string to represent this repo
func (repo *Repository) ColorFormat(s fmt.State) {
var ownerName interface{}
Expand Down
3 changes: 3 additions & 0 deletions modules/util/sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ package util
import (
"net/url"
"strings"

"code.gitea.io/gitea/modules/log"
)

// urlSafeError wraps an error whose message may contain a sensitive URL
Expand Down Expand Up @@ -36,6 +38,7 @@ func SanitizeMessage(message, unsanitizedURL string) string {
func SanitizeURLCredentials(unsanitizedURL string, usePlaceholder bool) string {
u, err := url.Parse(unsanitizedURL)
if err != nil {
log.Error("parse url %s failed: %v", unsanitizedURL, err)
// don't log the error, since it might contain unsanitized URL.
return "(unparsable url)"
}
Expand Down
25 changes: 25 additions & 0 deletions modules/util/sanitize_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package util

import (
"testing"

"github.com/stretchr/testify/assert"
)

func TestSanitizeURLCredentials(t *testing.T) {
var kases = map[string]string{
"https://github.com/go-gitea/test_repo.git": "https://github.com/go-gitea/test_repo.git",
"https://[email protected]/go-gitea/test_repo.git": "https://github.com/go-gitea/test_repo.git",
"http://github.com/go-gitea/test_repo.git": "http://github.com/go-gitea/test_repo.git",
"/test/repos/repo1": "/test/repos/repo1",
"[email protected]:go-gitea/test_repo.git": "(unparsable url)",
}

for source, value := range kases {
assert.EqualValues(t, value, SanitizeURLCredentials(source, false))
}
}
2 changes: 1 addition & 1 deletion templates/repo/header.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
{{if and .RelAvatarLink .IsPrivate}}<i class="mega-octicon octicon-lock"></i>{{end}}
{{if .IsTemplate}}<i class="icon fa-copy"></i>{{end}}
{{if .IsArchived}}<i class="archive icon archived-icon"></i>{{end}}
{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{MirrorAddress $.Mirror}}">{{MirrorAddress $.Mirror}}</a></div>{{end}}
{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}">{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}</a></div>{{end}}
{{if .IsFork}}<div class="fork-flag">{{$.i18n.Tr "repo.forked_from"}} <a href="{{.BaseRepo.Link}}">{{SubStr .BaseRepo.RelLink 1 -1}}</a></div>{{end}}
{{if .IsGenerated}}<div class="fork-flag">{{$.i18n.Tr "repo.generated_from"}} <a href="{{.TemplateRepo.Link}}">{{SubStr .TemplateRepo.RelLink 1 -1}}</a></div>{{end}}
</div>
Expand Down

0 comments on commit a67c06c

Please sign in to comment.