Sanitize credentials in mirror form (#9975)

4 files changed, 37 insertions, 1 deletions

diff --git a/models/repo.go b/models/repo.go
index aa7639e4ba..5528a8e9d2 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -197,6 +197,14 @@ type Repository struct {
 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
 }
 
+// SanitizedOriginalURL returns a sanitized OriginalURL
+func (repo *Repository) SanitizedOriginalURL() string {
+	if repo.OriginalURL == "" {
+		return ""
+	}
+	return util.SanitizeURLCredentials(repo.OriginalURL, false)
+}
+
 // ColorFormat returns a colored string to represent this repo
 func (repo *Repository) ColorFormat(s fmt.State) {
 	var ownerName interface{}
diff --git a/modules/util/sanitize.go b/modules/util/sanitize.go
index b1c17b29cf..d04e1dee77 100644
--- a/modules/util/sanitize.go
+++ b/modules/util/sanitize.go
@@ -7,6 +7,8 @@ package util
 import (
 	"net/url"
 	"strings"
+
+	"code.gitea.io/gitea/modules/log"
 )
 
 // urlSafeError wraps an error whose message may contain a sensitive URL
@@ -36,6 +38,7 @@ func SanitizeMessage(message, unsanitizedURL string) string {
 func SanitizeURLCredentials(unsanitizedURL string, usePlaceholder bool) string {
 	u, err := url.Parse(unsanitizedURL)
 	if err != nil {
+		log.Error("parse url %s failed: %v", unsanitizedURL, err)
 		// don't log the error, since it might contain unsanitized URL.
 		return "(unparsable url)"
 	}
diff --git a/modules/util/sanitize_test.go b/modules/util/sanitize_test.go
new file mode 100644
index 0000000000..4f07100675
--- /dev/null
+++ b/modules/util/sanitize_test.go
@@ -0,0 +1,25 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSanitizeURLCredentials(t *testing.T) {
+	var kases = map[string]string{
+		"https://github.com/go-gitea/test_repo.git":         "https://github.com/go-gitea/test_repo.git",
+		"https://mytoken@github.com/go-gitea/test_repo.git": "https://github.com/go-gitea/test_repo.git",
+		"http://github.com/go-gitea/test_repo.git":          "http://github.com/go-gitea/test_repo.git",
+		"/test/repos/repo1":                                 "/test/repos/repo1",
+		"git@github.com:go-gitea/test_repo.git":             "(unparsable url)",
+	}
+
+	for source, value := range kases {
+		assert.EqualValues(t, value, SanitizeURLCredentials(source, false))
+	}
+}
diff --git a/templates/repo/header.tmpl b/templates/repo/header.tmpl
index b1b31183c4..b3757b2764 100644
--- a/templates/repo/header.tmpl
+++ b/templates/repo/header.tmpl
@@ -14,7 +14,7 @@
 				{{if and .RelAvatarLink .IsPrivate}}<i class="mega-octicon octicon-lock"></i>{{end}}
 				{{if .IsTemplate}}<i class="icon fa-copy"></i>{{end}}
 				{{if .IsArchived}}<i class="archive icon archived-icon"></i>{{end}}
-				{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{MirrorAddress $.Mirror}}">{{MirrorAddress $.Mirror}}</a></div>{{end}}
+				{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}">{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}</a></div>{{end}}
 				{{if .IsFork}}<div class="fork-flag">{{$.i18n.Tr "repo.forked_from"}} <a href="{{.BaseRepo.Link}}">{{SubStr .BaseRepo.RelLink 1 -1}}</a></div>{{end}}
 				{{if .IsGenerated}}<div class="fork-flag">{{$.i18n.Tr "repo.generated_from"}} <a href="{{.TemplateRepo.Link}}">{{SubStr .TemplateRepo.RelLink 1 -1}}</a></div>{{end}}
 			</div>