Clean path

Author: sapk

integrations/api_repo_lfs_locks_test.go

@@ -68,6 +68,7 @@ func TestAPILFSLocksLogged(t *testing.T) {
 		{user: user2, repo: repo1, path: "path/test", httpResult: http.StatusCreated, addTime: []int{0}},
 		{user: user2, repo: repo1, path: "path/test", httpResult: http.StatusConflict},
 		{user: user2, repo: repo1, path: "Foo/BaR.zip", httpResult: http.StatusConflict},
+		{user: user2, repo: repo1, path: "Foo/Test/../subFOlder/../Relative/../BaR.zip", httpResult: http.StatusConflict},
 		{user: user4, repo: repo1, path: "FoO/BaR.zip", httpResult: http.StatusForbidden},
 		{user: user4, repo: repo1, path: "path/test-user4", httpResult: http.StatusForbidden},
 		{user: user2, repo: repo1, path: "patH/Test-user4", httpResult: http.StatusCreated, addTime: []int{0}},

models/lfs_lock.go

@@ -6,6 +6,7 @@ package models
 
 import (
 	"fmt"
+	"path"
 	"strconv"
 	"strings"
 	"time"
@@ -26,14 +27,18 @@ type LFSLock struct {
 // BeforeInsert is invoked from XORM before inserting an object of this type.
 func (l *LFSLock) BeforeInsert() {
 	l.OwnerID = l.Owner.ID
-	l.Path = strings.ToLower(l.Path)
+	l.Path = cleanPath(l.Path)
 }
 
 // AfterLoad is invoked from XORM after setting the values of all fields of this object.
 func (l *LFSLock) AfterLoad() {
 	l.Owner, _ = GetUserByID(l.OwnerID)
 }
 
+func cleanPath(p string) string {
+	return strings.ToLower(path.Clean(p))
+}
+
 // APIFormat convert a Release to lfs.LFSLock
 func (l *LFSLock) APIFormat() *api.LFSLock {
 	return &api.LFSLock{
@@ -67,8 +72,8 @@ func CreateLFSLock(lock *LFSLock) (*LFSLock, error) {
 
 // GetLFSLock returns release by given path.
 func GetLFSLock(repoID int64, path string) (*LFSLock, error) {
-	path = strings.ToLower(path)
-	rel := &LFSLock{RepoID: repoID, Path: path} //TODO Define if path should needed to be lower for windows compat ?
+	path = cleanPath(path)
+	rel := &LFSLock{RepoID: repoID, Path: path}
 	has, err := x.Get(rel)
 	if err != nil {
 		return nil, err