From b3e757a06c2cfc554c7db0e2da170b123404f058 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 12 Apr 2019 21:52:57 +0100
Subject: Correctly adjust mirror url (#6593)

---
 routers/repo/setting.go | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

(limited to 'routers/repo')

diff --git a/routers/repo/setting.go b/routers/repo/setting.go
index 0101b2362b..f58601633a 100644
--- a/routers/repo/setting.go
+++ b/routers/repo/setting.go
@@ -7,9 +7,13 @@ package repo
 
 import (
 	"errors"
+	"net/url"
+	"regexp"
 	"strings"
 	"time"
 
+	"mvdan.cc/xurls/v2"
+
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
@@ -32,6 +36,8 @@ const (
 	tplProtectedBranch base.TplName = "repo/settings/protected_branch"
 )
 
+var validFormAddress *regexp.Regexp
+
 // Settings show a repository's settings page
 func Settings(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.settings")
@@ -145,7 +151,38 @@ func SettingsPost(ctx *context.Context, form auth.RepoSettingForm) {
 				return
 			}
 		}
-		if err := ctx.Repo.Mirror.SaveAddress(form.MirrorAddress); err != nil {
+
+		// Validate the form.MirrorAddress
+		u, err := url.Parse(form.MirrorAddress)
+		if err != nil {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_url_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		if u.Opaque != "" || !(u.Scheme == "http" || u.Scheme == "https" || u.Scheme == "git") {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_protocol_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		// Now use xurls
+		address := validFormAddress.FindString(form.MirrorAddress)
+		if address != form.MirrorAddress && form.MirrorAddress != "" {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_url_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		if u.EscapedPath() == "" || u.Host == "" || !u.IsAbs() {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_url_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		address = u.String()
+
+		if err := ctx.Repo.Mirror.SaveAddress(address); err != nil {
 			ctx.ServerError("SaveAddress", err)
 			return
 		}
@@ -682,3 +719,11 @@ func DeleteDeployKey(ctx *context.Context) {
 		"redirect": ctx.Repo.RepoLink + "/settings/keys",
 	})
 }
+
+func init() {
+	var err error
+	validFormAddress, err = xurls.StrictMatchingScheme(`(https?)|(git)://`)
+	if err != nil {
+		panic(err)
+	}
+}
-- 
cgit v1.2.3