Skip to content

Commit 7eed11e

Browse files
gary-kimlunny
gary-kim
authored and
lunny
committed
Check commit message hashes before making links (#7713)
* Check commit message hashes before making links Previously, when formatting commit messages, anything that looked like SHA1 hashes was turned into a link using regex. This meant that certain phrases or numbers such as `777777` or `deadbeef` could be recognized as a commit even if the repository has no commit with those hashes. This change will make it so that anything that looks like a SHA1 hash using regex will then also be checked to ensure that there is a commit in the repository with that hash before making a link. Signed-off-by: Gary Kim <[email protected]> * Use gogit to check if commit exists This commit modifies the commit hash check in the render for commit messages to use gogit for better performance. Signed-off-by: Gary Kim <[email protected]> * Make code cleaner Signed-off-by: Gary Kim <[email protected]> * Use rev-parse to check if commit exists Signed-off-by: Gary Kim <[email protected]> * Add and modify tests for checking hashes in html link rendering Signed-off-by: Gary Kim <[email protected]> * Return error in sha1CurrentPatternProcessor Co-Authored-By: mrsdizzie <[email protected]> * Import Gitea log module Signed-off-by: Gary Kim <[email protected]> * Revert "Return error in sha1CurrentPatternProcessor" This reverts commit 28f561c. Signed-off-by: Gary Kim <[email protected]> * Add debug logging to sha1CurrentPatternProcessor This will log errors by the git command run in sha1CurrentPatternProcessor if the error is one that was unexpected. Signed-off-by: Gary Kim <[email protected]>
1 parent 46d6b92 commit 7eed11e

File tree

4 files changed

+34
-16
lines changed

4 files changed

+34
-16
lines changed

models/repo.go

+3-2
Original file line numberDiff line numberDiff line change
@@ -508,8 +508,9 @@ func (repo *Repository) mustOwnerName(e Engine) string {
508508
func (repo *Repository) ComposeMetas() map[string]string {
509509
if repo.ExternalMetas == nil {
510510
repo.ExternalMetas = map[string]string{
511-
"user": repo.MustOwner().Name,
512-
"repo": repo.Name,
511+
"user": repo.MustOwner().Name,
512+
"repo": repo.Name,
513+
"repoPath": repo.RepoPath(),
513514
}
514515
unit, err := repo.GetUnit(UnitTypeExternalTracker)
515516
if err != nil {

modules/markup/html.go

+14
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ import (
1313
"strings"
1414

1515
"code.gitea.io/gitea/modules/base"
16+
"code.gitea.io/gitea/modules/git"
17+
"code.gitea.io/gitea/modules/log"
1618
"code.gitea.io/gitea/modules/setting"
1719
"code.gitea.io/gitea/modules/util"
1820

@@ -646,6 +648,9 @@ func fullSha1PatternProcessor(ctx *postProcessCtx, node *html.Node) {
646648
// sha1CurrentPatternProcessor renders SHA1 strings to corresponding links that
647649
// are assumed to be in the same repository.
648650
func sha1CurrentPatternProcessor(ctx *postProcessCtx, node *html.Node) {
651+
if ctx.metas == nil || ctx.metas["user"] == "" || ctx.metas["repo"] == "" || ctx.metas["repoPath"] == "" {
652+
return
653+
}
649654
m := sha1CurrentPattern.FindStringSubmatchIndex(node.Data)
650655
if m == nil {
651656
return
@@ -657,6 +662,15 @@ func sha1CurrentPatternProcessor(ctx *postProcessCtx, node *html.Node) {
657662
// but that is not always the case.
658663
// Although unlikely, deadbeef and 1234567 are valid short forms of SHA1 hash
659664
// as used by git and github for linking and thus we have to do similar.
665+
// Because of this, we check to make sure that a matched hash is actually
666+
// a commit in the repository before making it a link.
667+
if _, err := git.NewCommand("rev-parse", "--verify", hash).RunInDirBytes(ctx.metas["repoPath"]); err != nil {
668+
if !strings.Contains(err.Error(), "fatal: Needed a single revision") {
669+
log.Debug("sha1CurrentPatternProcessor git rev-parse: %v", err)
670+
}
671+
return
672+
}
673+
660674
replaceContent(node, m[2], m[3],
661675
createCodeLink(util.URLJoin(setting.AppURL, ctx.metas["user"], ctx.metas["repo"], "commit", hash), base.ShortSha(hash)))
662676
}

modules/markup/html_test.go

+12-10
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,9 @@ import (
1717
)
1818

1919
var localMetas = map[string]string{
20-
"user": "gogits",
21-
"repo": "gogs",
20+
"user": "gogits",
21+
"repo": "gogs",
22+
"repoPath": "../../integrations/gitea-repositories-meta/user13/repo11.git/",
2223
}
2324

2425
func TestRender_Commits(t *testing.T) {
@@ -30,19 +31,20 @@ func TestRender_Commits(t *testing.T) {
3031
assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(buffer))
3132
}
3233

33-
var sha = "b6dd6210eaebc915fd5be5579c58cce4da2e2579"
34+
var sha = "65f1bf27bc3bf70f64657658635e66094edbcb4d"
3435
var commit = util.URLJoin(AppSubURL, "commit", sha)
3536
var subtree = util.URLJoin(commit, "src")
3637
var tree = strings.Replace(subtree, "/commit/", "/tree/", -1)
3738

38-
test(sha, `<p><a href="`+commit+`" rel="nofollow"><code>b6dd6210ea</code></a></p>`)
39-
test(sha[:7], `<p><a href="`+commit[:len(commit)-(40-7)]+`" rel="nofollow"><code>b6dd621</code></a></p>`)
40-
test(sha[:39], `<p><a href="`+commit[:len(commit)-(40-39)]+`" rel="nofollow"><code>b6dd6210ea</code></a></p>`)
41-
test(commit, `<p><a href="`+commit+`" rel="nofollow"><code>b6dd6210ea</code></a></p>`)
42-
test(tree, `<p><a href="`+tree+`" rel="nofollow"><code>b6dd6210ea/src</code></a></p>`)
43-
test("commit "+sha, `<p>commit <a href="`+commit+`" rel="nofollow"><code>b6dd6210ea</code></a></p>`)
39+
test(sha, `<p><a href="`+commit+`" rel="nofollow"><code>65f1bf27bc</code></a></p>`)
40+
test(sha[:7], `<p><a href="`+commit[:len(commit)-(40-7)]+`" rel="nofollow"><code>65f1bf2</code></a></p>`)
41+
test(sha[:39], `<p><a href="`+commit[:len(commit)-(40-39)]+`" rel="nofollow"><code>65f1bf27bc</code></a></p>`)
42+
test(commit, `<p><a href="`+commit+`" rel="nofollow"><code>65f1bf27bc</code></a></p>`)
43+
test(tree, `<p><a href="`+tree+`" rel="nofollow"><code>65f1bf27bc/src</code></a></p>`)
44+
test("commit "+sha, `<p>commit <a href="`+commit+`" rel="nofollow"><code>65f1bf27bc</code></a></p>`)
4445
test("/home/gitea/"+sha, "<p>/home/gitea/"+sha+"</p>")
45-
46+
test("deadbeef", `<p>deadbeef</p>`)
47+
test("d27ace93", `<p>d27ace93</p>`)
4648
}
4749

4850
func TestRender_CrossReferences(t *testing.T) {

modules/markup/markdown/markdown_test.go

+5-4
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,9 @@ const AppSubURL = AppURL + Repo + "/"
2121

2222
// these values should match the Repo const above
2323
var localMetas = map[string]string{
24-
"user": "gogits",
25-
"repo": "gogs",
24+
"user": "gogits",
25+
"repo": "gogs",
26+
"repoPath": "../../../integrations/gitea-repositories-meta/user13/repo11.git/",
2627
}
2728

2829
func TestRender_StandardLinks(t *testing.T) {
@@ -103,7 +104,7 @@ func testAnswers(baseURLContent, baseURLImages string) []string {
103104
<li><a href="` + baseURLContent + `/Tips" rel="nofollow">Tips</a></li>
104105
</ul>
105106
106-
<p>See commit <a href="http://localhost:3000/gogits/gogs/commit/fc7f44dadf" rel="nofollow"><code>fc7f44dadf</code></a></p>
107+
<p>See commit <a href="http://localhost:3000/gogits/gogs/commit/65f1bf27bc" rel="nofollow"><code>65f1bf27bc</code></a></p>
107108
108109
<p>Ideas and codes</p>
109110
@@ -194,7 +195,7 @@ var sameCases = []string{
194195
- [[Links, Language bindings, Engine bindings|Links]]
195196
- [[Tips]]
196197
197-
See commit fc7f44dadf
198+
See commit 65f1bf27bc
198199
199200
Ideas and codes
200201

0 commit comments

Comments
 (0)