Add migration to sanitize repository original_url (#9423)

* Add migration to sanitize repository original_url

During a large code move in #6200 the OriginalURL field was
accidentially changed to be populated with the CloneAddr field which
will contain the username and/or password provided during a migration.

This behavior was fixed in previous PR #9097 and this migration will
remove any authentication details that were stored in the database
between those two.

* use net/url to rebuild URL instead of strings.Replace

* Update models/migrations/migrations.go

* changes per lunny

* make fmt

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index cbea5a95dd5f3cd0fe234cd3280f86fed35a36ab..923b5f5759c107a510927ee1a1bdbd0439916dee 100644 (file)
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -282,6 +282,8 @@ var migrations = []Migration{
        NewMigration("remove release attachments which repository deleted", removeAttachmentMissedRepo),
        // v113 -> v114
        NewMigration("new feature: change target branch of pull requests", featureChangeTargetBranch),
+       // v114 -> v115
+       NewMigration("Remove authentication credentials from stored URL", sanitizeOriginalURL),
 }
 
 // Migrate database to current version

diff --git a/models/migrations/v114.go b/models/migrations/v114.go
new file mode 100644 (file)
index 0000000..25a187f
--- /dev/null
+++ b/models/migrations/v114.go
@@ -0,0 +1,52 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+       "net/url"
+
+       "xorm.io/xorm"
+)
+
+func sanitizeOriginalURL(x *xorm.Engine) error {
+
+       type Repository struct {
+               ID          int64
+               OriginalURL string `xorm:"VARCHAR(2048)"`
+       }
+
+       var last int
+       const batchSize = 50
+       for {
+               var results = make([]Repository, 0, batchSize)
+               err := x.Where("original_url <> '' AND original_url IS NOT NULL").
+                       And("original_service_type = 0 OR original_service_type IS NULL").
+                       OrderBy("id").
+                       Limit(batchSize, last).
+                       Find(&results)
+               if err != nil {
+                       return err
+               }
+               if len(results) == 0 {
+                       break
+               }
+               last += len(results)
+
+               for _, res := range results {
+                       u, err := url.Parse(res.OriginalURL)
+                       if err != nil {
+                               // it is ok to continue here, we only care about fixing URLs that we can read
+                               continue
+                       }
+                       u.User = nil
+                       originalURL := u.String()
+                       _, err = x.Exec("UPDATE repository SET original_url = ? WHERE id = ?", originalURL, res.ID)
+                       if err != nil {
+                               return err
+                       }
+               }
+       }
+       return nil
+}