From 43155550e04441d81c8f15d732e7fcfbad3b1efd Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 13 Mar 2023 21:01:08 +0800 Subject: [PATCH 1/2] make sure lfs will only support relative path --- routers/web/repo/lfs.go | 2 +- services/lfs/locks.go | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/routers/web/repo/lfs.go b/routers/web/repo/lfs.go index 43f5527986b9b..ed7d0273da717 100644 --- a/routers/web/repo/lfs.go +++ b/routers/web/repo/lfs.go @@ -215,7 +215,7 @@ func LFSLockFile(ctx *context.Context) { } _, err := git_model.CreateLFSLock(ctx, ctx.Repo.Repository, &git_model.LFSLock{ - Path: lockPath, + Path: strings.TrimPrefix(lockPath, "/"), OwnerID: ctx.Doer.ID, }) if err != nil { diff --git a/services/lfs/locks.go b/services/lfs/locks.go index d963d9ab574fb..c11e25cbac8d0 100644 --- a/services/lfs/locks.go +++ b/services/lfs/locks.go @@ -95,7 +95,7 @@ func GetListLockHandler(ctx *context.Context) { return } - path := ctx.FormString("path") + path := strings.TrimPrefix(ctx.FormString("path"), "/") if path != "" { // Case where we request a specific id lock, err := git_model.GetLFSLock(ctx, repository, path) if err != nil && !git_model.IsErrLFSLockNotExist(err) { @@ -143,7 +143,14 @@ func PostLockHandler(ctx *context.Context) { }) return } - repository.MustOwner(ctx) + if err := repository.LoadOwner(ctx); err != nil { + log.Error("Unable to LoadOwner: %s/%s Error: %v", userName, repoName, err) + ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs") + ctx.JSON(http.StatusUnauthorized, api.LFSLockError{ + Message: "Something error with server", + }) + return + } authenticated := authenticate(ctx, repository, authorization, true, true) if !authenticated { @@ -168,7 +175,7 @@ func PostLockHandler(ctx *context.Context) { } lock, err := git_model.CreateLFSLock(ctx, repository, &git_model.LFSLock{ - Path: req.Path, + Path: strings.TrimPrefix(req.Path, "/"), OwnerID: ctx.Doer.ID, }) if err != nil { From 4d18ad0d26fd851a0bc12096f49daa7bed1dec34 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 13 Mar 2023 21:08:22 +0800 Subject: [PATCH 2/2] check prefix ealier --- routers/web/repo/lfs.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routers/web/repo/lfs.go b/routers/web/repo/lfs.go index ed7d0273da717..714634554572e 100644 --- a/routers/web/repo/lfs.go +++ b/routers/web/repo/lfs.go @@ -207,7 +207,7 @@ func LFSLockFile(ctx *context.Context) { ctx.Redirect(ctx.Repo.RepoLink + "/settings/lfs/locks") return } - lockPath = util.CleanPath(lockPath) + lockPath = strings.TrimPrefix(util.CleanPath(lockPath), "/") if len(lockPath) == 0 { ctx.Flash.Error(ctx.Tr("repo.settings.lfs_invalid_locking_path", originalPath)) ctx.Redirect(ctx.Repo.RepoLink + "/settings/lfs/locks") @@ -215,7 +215,7 @@ func LFSLockFile(ctx *context.Context) { } _, err := git_model.CreateLFSLock(ctx, ctx.Repo.Repository, &git_model.LFSLock{ - Path: strings.TrimPrefix(lockPath, "/"), + Path: lockPath, OwnerID: ctx.Doer.ID, }) if err != nil {