+13 -2

routes/git.go

reviewed

··· 8 8 "path/filepath" 9 9 10 10 "git.icyphox.sh/legit/git/service" 11 11 + securejoin "github.com/cyphar/filepath-securejoin" 11 12 ) 12 13 13 14 func (d *deps) InfoRefs(w http.ResponseWriter, r *http.Request) { 14 15 name := r.PathValue("name") 15 16 name = filepath.Clean(name) 16 17 17 17 - repo := filepath.Join(d.c.Repo.ScanPath, name) 18 18 + repo, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 19 19 + if err != nil { 20 20 + log.Printf("securejoin error: %v", err) 21 21 + d.Write404(w) 22 22 + return 23 23 + } 18 24 19 25 w.Header().Set("content-type", "application/x-git-upload-pack-advertisement") 20 26 w.WriteHeader(http.StatusOK) ··· 35 41 name := r.PathValue("name") 36 42 name = filepath.Clean(name) 37 43 38 38 - repo := filepath.Join(d.c.Repo.ScanPath, name) 44 44 + repo, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 45 45 + if err != nil { 46 46 + log.Printf("securejoin error: %v", err) 47 47 + d.Write404(w) 48 48 + return 49 49 + } 39 50 40 51 w.Header().Set("content-type", "application/x-git-upload-pack-result") 41 52 w.Header().Set("Connection", "Keep-Alive")

+60 -9

routes/routes.go

reviewed

··· 15 15 16 16 "git.icyphox.sh/legit/config" 17 17 "git.icyphox.sh/legit/git" 18 18 + securejoin "github.com/cyphar/filepath-securejoin" 18 19 "github.com/dustin/go-humanize" 19 20 "github.com/microcosm-cc/bluemonday" 20 21 "github.com/russross/blackfriday/v2" ··· 45 46 continue 46 47 } 47 48 48 48 - path := filepath.Join(d.c.Repo.ScanPath, name) 49 49 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 50 50 + if err != nil { 51 51 + log.Printf("securejoin error: %v", err) 52 52 + d.Write404(w) 53 53 + return 54 54 + } 55 55 + 49 56 gr, err := git.Open(path, "") 50 57 if err != nil { 51 58 log.Println(err) ··· 92 99 return 93 100 } 94 101 name = filepath.Clean(name) 95 95 - path := filepath.Join(d.c.Repo.ScanPath, name) 102 102 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 103 103 + if err != nil { 104 104 + log.Printf("securejoin error: %v", err) 105 105 + d.Write404(w) 106 106 + return 107 107 + } 96 108 97 109 gr, err := git.Open(path, "") 98 110 if err != nil { ··· 177 189 ref := r.PathValue("ref") 178 190 179 191 name = filepath.Clean(name) 180 180 - path := filepath.Join(d.c.Repo.ScanPath, name) 192 192 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 193 193 + if err != nil { 194 194 + log.Printf("securejoin error: %v", err) 195 195 + d.Write404(w) 196 196 + return 197 197 + } 181 198 gr, err := git.Open(path, ref) 182 199 if err != nil { 183 200 d.Write404(w) ··· 218 235 ref := r.PathValue("ref") 219 236 220 237 name = filepath.Clean(name) 221 221 - path := filepath.Join(d.c.Repo.ScanPath, name) 238 238 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 239 239 + if err != nil { 240 240 + log.Printf("securejoin error: %v", err) 241 241 + d.Write404(w) 242 242 + return 243 243 + } 244 244 + 222 245 gr, err := git.Open(path, ref) 223 246 if err != nil { 224 247 d.Write404(w) ··· 271 294 setContentDisposition(w, filename) 272 295 setGZipMIME(w) 273 296 274 274 - path := filepath.Join(d.c.Repo.ScanPath, name) 297 297 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 298 298 + if err != nil { 299 299 + log.Printf("securejoin error: %v", err) 300 300 + d.Write404(w) 301 301 + return 302 302 + } 303 303 + 275 304 gr, err := git.Open(path, ref) 276 305 if err != nil { 277 306 d.Write404(w) ··· 307 336 } 308 337 ref := r.PathValue("ref") 309 338 310 310 - path := filepath.Join(d.c.Repo.ScanPath, name) 339 339 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 340 340 + if err != nil { 341 341 + log.Printf("securejoin error: %v", err) 342 342 + d.Write404(w) 343 343 + return 344 344 + } 345 345 + 311 346 gr, err := git.Open(path, ref) 312 347 if err != nil { 313 348 d.Write404(w) ··· 347 382 } 348 383 ref := r.PathValue("ref") 349 384 350 350 - path := filepath.Join(d.c.Repo.ScanPath, name) 385 385 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 386 386 + if err != nil { 387 387 + log.Printf("securejoin error: %v", err) 388 388 + d.Write404(w) 389 389 + return 390 390 + } 351 391 gr, err := git.Open(path, ref) 352 392 if err != nil { 353 393 d.Write404(w) ··· 388 428 return 389 429 } 390 430 391 391 - path := filepath.Join(d.c.Repo.ScanPath, name) 431 431 + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) 432 432 + if err != nil { 433 433 + log.Printf("securejoin error: %v", err) 434 434 + d.Write404(w) 435 435 + return 436 436 + } 437 437 + 392 438 gr, err := git.Open(path, "") 393 439 if err != nil { 394 440 d.Write404(w) ··· 428 474 429 475 func (d *deps) ServeStatic(w http.ResponseWriter, r *http.Request) { 430 476 f := r.PathValue("file") 431 431 - f = filepath.Clean(filepath.Join(d.c.Dirs.Static, f)) 477 477 + f = filepath.Clean(f) 478 478 + f, err := securejoin.SecureJoin(d.c.Dirs.Static, f) 479 479 + if err != nil { 480 480 + d.Write404(w) 481 481 + return 482 482 + } 432 483 433 484 http.ServeFile(w, r, f) 434 485 }