From 16dfd9ffbe5d9653d75997303d88872462f10bfe Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Sun, 26 Jan 2020 16:16:53 +0800 Subject: [PATCH] Sanitize credentials in mirror form (#9975) (#9991) --- models/repo.go | 8 ++++++++ modules/util/sanitize.go | 3 +++ modules/util/sanitize_test.go | 25 +++++++++++++++++++++++++ templates/repo/header.tmpl | 2 +- 4 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 modules/util/sanitize_test.go diff --git a/models/repo.go b/models/repo.go index 0dbdcc11b5..3071c11f32 100644 --- a/models/repo.go +++ b/models/repo.go @@ -204,6 +204,14 @@ type Repository struct { UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"` } +// SanitizedOriginalURL returns a sanitized OriginalURL +func (repo *Repository) SanitizedOriginalURL() string { + if repo.OriginalURL == "" { + return "" + } + return util.SanitizeURLCredentials(repo.OriginalURL, false) +} + // ColorFormat returns a colored string to represent this repo func (repo *Repository) ColorFormat(s fmt.State) { var ownerName interface{} diff --git a/modules/util/sanitize.go b/modules/util/sanitize.go index b1c17b29cf..d04e1dee77 100644 --- a/modules/util/sanitize.go +++ b/modules/util/sanitize.go @@ -7,6 +7,8 @@ package util import ( "net/url" "strings" + + "code.gitea.io/gitea/modules/log" ) // urlSafeError wraps an error whose message may contain a sensitive URL @@ -36,6 +38,7 @@ func SanitizeMessage(message, unsanitizedURL string) string { func SanitizeURLCredentials(unsanitizedURL string, usePlaceholder bool) string { u, err := url.Parse(unsanitizedURL) if err != nil { + log.Error("parse url %s failed: %v", unsanitizedURL, err) // don't log the error, since it might contain unsanitized URL. return "(unparsable url)" } diff --git a/modules/util/sanitize_test.go b/modules/util/sanitize_test.go new file mode 100644 index 0000000000..4f07100675 --- /dev/null +++ b/modules/util/sanitize_test.go @@ -0,0 +1,25 @@ +// Copyright 2020 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package util + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestSanitizeURLCredentials(t *testing.T) { + var kases = map[string]string{ + "https://github.com/go-gitea/test_repo.git": "https://github.com/go-gitea/test_repo.git", + "https://mytoken@github.com/go-gitea/test_repo.git": "https://github.com/go-gitea/test_repo.git", + "http://github.com/go-gitea/test_repo.git": "http://github.com/go-gitea/test_repo.git", + "/test/repos/repo1": "/test/repos/repo1", + "git@github.com:go-gitea/test_repo.git": "(unparsable url)", + } + + for source, value := range kases { + assert.EqualValues(t, value, SanitizeURLCredentials(source, false)) + } +} diff --git a/templates/repo/header.tmpl b/templates/repo/header.tmpl index b1b31183c4..b3757b2764 100644 --- a/templates/repo/header.tmpl +++ b/templates/repo/header.tmpl @@ -14,7 +14,7 @@ {{if and .RelAvatarLink .IsPrivate}}{{end}} {{if .IsTemplate}}{{end}} {{if .IsArchived}}{{end}} - {{if .IsMirror}}
{{$.i18n.Tr "repo.mirror_from"}} {{MirrorAddress $.Mirror}}
{{end}} + {{if .IsMirror}}
{{$.i18n.Tr "repo.mirror_from"}} {{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}
{{end}} {{if .IsFork}}
{{$.i18n.Tr "repo.forked_from"}} {{SubStr .BaseRepo.RelLink 1 -1}}
{{end}} {{if .IsGenerated}}
{{$.i18n.Tr "repo.generated_from"}} {{SubStr .TemplateRepo.RelLink 1 -1}}
{{end}}