Skip to content

Commit 1ad48f7

Browse files
wxiaoguangKN4CK3R
andauthored
Relax generic package filename restrictions (#30135)
Now, the chars `=:;()[]{}~!@#$%^ &` are possible as well Fixes #30134 --------- Co-authored-by: KN4CK3R <[email protected]>
1 parent 1551d73 commit 1ad48f7

File tree

3 files changed

+91
-7
lines changed

3 files changed

+91
-7
lines changed

routers/api/packages/generic/generic.go

Lines changed: 24 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
"net/http"
99
"regexp"
1010
"strings"
11+
"unicode"
1112

1213
packages_model "code.gitea.io/gitea/models/packages"
1314
"code.gitea.io/gitea/modules/log"
@@ -18,8 +19,8 @@ import (
1819
)
1920

2021
var (
21-
packageNameRegex = regexp.MustCompile(`\A[A-Za-z0-9\.\_\-\+]+\z`)
22-
filenameRegex = packageNameRegex
22+
packageNameRegex = regexp.MustCompile(`\A[-_+.\w]+\z`)
23+
filenameRegex = regexp.MustCompile(`\A[-_+=:;.()\[\]{}~!@#$%^& \w]+\z`)
2324
)
2425

2526
func apiError(ctx *context.Context, status int, obj any) {
@@ -54,20 +55,38 @@ func DownloadPackageFile(ctx *context.Context) {
5455
helper.ServePackageFile(ctx, s, u, pf)
5556
}
5657

58+
func isValidPackageName(packageName string) bool {
59+
if len(packageName) == 1 && !unicode.IsLetter(rune(packageName[0])) && !unicode.IsNumber(rune(packageName[0])) {
60+
return false
61+
}
62+
return packageNameRegex.MatchString(packageName) && packageName != ".."
63+
}
64+
65+
func isValidFileName(filename string) bool {
66+
return filenameRegex.MatchString(filename) &&
67+
strings.TrimSpace(filename) == filename &&
68+
filename != "." && filename != ".."
69+
}
70+
5771
// UploadPackage uploads the specific generic package.
5872
// Duplicated packages get rejected.
5973
func UploadPackage(ctx *context.Context) {
6074
packageName := ctx.Params("packagename")
6175
filename := ctx.Params("filename")
6276

63-
if !packageNameRegex.MatchString(packageName) || !filenameRegex.MatchString(filename) {
64-
apiError(ctx, http.StatusBadRequest, errors.New("Invalid package name or filename"))
77+
if !isValidPackageName(packageName) {
78+
apiError(ctx, http.StatusBadRequest, errors.New("invalid package name"))
79+
return
80+
}
81+
82+
if !isValidFileName(filename) {
83+
apiError(ctx, http.StatusBadRequest, errors.New("invalid filename"))
6584
return
6685
}
6786

6887
packageVersion := ctx.Params("packageversion")
6988
if packageVersion != strings.TrimSpace(packageVersion) {
70-
apiError(ctx, http.StatusBadRequest, errors.New("Invalid package version"))
89+
apiError(ctx, http.StatusBadRequest, errors.New("invalid package version"))
7190
return
7291
}
7392

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
// Copyright 2024 The Gitea Authors. All rights reserved.
2+
// SPDX-License-Identifier: MIT
3+
4+
package generic
5+
6+
import (
7+
"testing"
8+
9+
"github.com/stretchr/testify/assert"
10+
)
11+
12+
func TestValidatePackageName(t *testing.T) {
13+
bad := []string{
14+
"",
15+
".",
16+
"..",
17+
"-",
18+
"a?b",
19+
"a b",
20+
"a/b",
21+
}
22+
for _, name := range bad {
23+
assert.False(t, isValidPackageName(name), "bad=%q", name)
24+
}
25+
26+
good := []string{
27+
"a",
28+
"1",
29+
"a-",
30+
"a_b",
31+
"c.d+",
32+
}
33+
for _, name := range good {
34+
assert.True(t, isValidPackageName(name), "good=%q", name)
35+
}
36+
}
37+
38+
func TestValidateFileName(t *testing.T) {
39+
bad := []string{
40+
"",
41+
".",
42+
"..",
43+
"a?b",
44+
"a/b",
45+
" a",
46+
"a ",
47+
}
48+
for _, name := range bad {
49+
assert.False(t, isValidFileName(name), "bad=%q", name)
50+
}
51+
52+
good := []string{
53+
"-",
54+
"a",
55+
"1",
56+
"a-",
57+
"a_b",
58+
"a b",
59+
"c.d+",
60+
`-_+=:;.()[]{}~!@#$%^& aA1`,
61+
}
62+
for _, name := range good {
63+
assert.True(t, isValidFileName(name), "good=%q", name)
64+
}
65+
}

tests/integration/api_packages_generic_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,15 +84,15 @@ func TestPackageGeneric(t *testing.T) {
8484
t.Run("InvalidParameter", func(t *testing.T) {
8585
defer tests.PrintCurrentTest(t)()
8686

87-
req := NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, "invalid+package name", packageVersion, filename), bytes.NewReader(content)).
87+
req := NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, "invalid package name", packageVersion, filename), bytes.NewReader(content)).
8888
AddBasicAuth(user.Name)
8989
MakeRequest(t, req, http.StatusBadRequest)
9090

9191
req = NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, "%20test ", filename), bytes.NewReader(content)).
9292
AddBasicAuth(user.Name)
9393
MakeRequest(t, req, http.StatusBadRequest)
9494

95-
req = NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, packageVersion, "inval+id.na me"), bytes.NewReader(content)).
95+
req = NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, packageName, packageVersion, "inva|id.name"), bytes.NewReader(content)).
9696
AddBasicAuth(user.Name)
9797
MakeRequest(t, req, http.StatusBadRequest)
9898
})

0 commit comments

Comments
 (0)