summaryrefslogtreecommitdiffstats
path: root/modules/repository
diff options
context:
space:
mode:
authorwxiaoguang <wxiaoguang@gmail.com>2021-11-20 17:34:05 +0800
committerGitHub <noreply@github.com>2021-11-20 17:34:05 +0800
commit013fb73068281b45b33c72abaae0c42c8d79c499 (patch)
tree5cb710ea15a6f471648ecf19e2fdfab9804cb084 /modules/repository
parentc96be0cd982255f20a3fe6ff4683115b8073e65e (diff)
downloadgitea-013fb73068281b45b33c72abaae0c42c8d79c499.tar.gz
gitea-013fb73068281b45b33c72abaae0c42c8d79c499.zip
Use `hostmatcher` to replace `matchlist`, improve security (#17605)
Use hostmacher to replace matchlist. And we introduce a better DialContext to do a full host/IP check, otherwise the attackers can still bypass the allow/block list by a 302 redirection.
Diffstat (limited to 'modules/repository')
-rw-r--r--modules/repository/repo.go19
1 files changed, 11 insertions, 8 deletions
diff --git a/modules/repository/repo.go b/modules/repository/repo.go
index 5eec5a7314..dd54a99cc9 100644
--- a/modules/repository/repo.go
+++ b/modules/repository/repo.go
@@ -8,7 +8,7 @@ import (
"context"
"fmt"
"io"
- "net/url"
+ "net/http"
"path"
"strings"
"time"
@@ -46,7 +46,10 @@ func WikiRemoteURL(remote string) string {
}
// MigrateRepositoryGitData starts migrating git related data after created migrating repository
-func MigrateRepositoryGitData(ctx context.Context, u *models.User, repo *models.Repository, opts migration.MigrateOptions) (*models.Repository, error) {
+func MigrateRepositoryGitData(ctx context.Context, u *models.User,
+ repo *models.Repository, opts migration.MigrateOptions,
+ httpTransport *http.Transport,
+) (*models.Repository, error) {
repoPath := models.RepoPath(u.Name, opts.RepoName)
if u.IsOrganization() {
@@ -141,8 +144,9 @@ func MigrateRepositoryGitData(ctx context.Context, u *models.User, repo *models.
}
if opts.LFS {
- ep := lfs.DetermineEndpoint(opts.CloneAddr, opts.LFSEndpoint)
- if err = StoreMissingLfsObjectsInRepository(ctx, repo, gitRepo, ep, setting.Migrations.SkipTLSVerify); err != nil {
+ endpoint := lfs.DetermineEndpoint(opts.CloneAddr, opts.LFSEndpoint)
+ lfsClient := lfs.NewClient(endpoint, httpTransport)
+ if err = StoreMissingLfsObjectsInRepository(ctx, repo, gitRepo, lfsClient); err != nil {
log.Error("Failed to store missing LFS objects for repository: %v", err)
}
}
@@ -336,8 +340,7 @@ func PushUpdateAddTag(repo *models.Repository, gitRepo *git.Repository, tagName
}
// StoreMissingLfsObjectsInRepository downloads missing LFS objects
-func StoreMissingLfsObjectsInRepository(ctx context.Context, repo *models.Repository, gitRepo *git.Repository, endpoint *url.URL, skipTLSVerify bool) error {
- client := lfs.NewClient(endpoint, skipTLSVerify)
+func StoreMissingLfsObjectsInRepository(ctx context.Context, repo *models.Repository, gitRepo *git.Repository, lfsClient lfs.Client) error {
contentStore := lfs.NewContentStore()
pointerChan := make(chan lfs.PointerBlob)
@@ -345,7 +348,7 @@ func StoreMissingLfsObjectsInRepository(ctx context.Context, repo *models.Reposi
go lfs.SearchPointerBlobs(ctx, gitRepo, pointerChan, errChan)
downloadObjects := func(pointers []lfs.Pointer) error {
- err := client.Download(ctx, pointers, func(p lfs.Pointer, content io.ReadCloser, objectError error) error {
+ err := lfsClient.Download(ctx, pointers, func(p lfs.Pointer, content io.ReadCloser, objectError error) error {
if objectError != nil {
return objectError
}
@@ -411,7 +414,7 @@ func StoreMissingLfsObjectsInRepository(ctx context.Context, repo *models.Reposi
}
batch = append(batch, pointerBlob.Pointer)
- if len(batch) >= client.BatchSize() {
+ if len(batch) >= lfsClient.BatchSize() {
if err := downloadObjects(batch); err != nil {
return err
}