web/forgejo
8
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-02-23 03:45:47 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix: always set stripped slashes on http request (#6866)

Browse source 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6866
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
This commit is contained in:
Otto 2025-02-10 18:30:52 +00:00
commit afa8e5ad13
3 changed files with 24 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
routers/common/middleware.go
View file

@ -95,10 +95,9 @@ func stripSlashesMiddleware(next http.Handler) http.Handler {
prevWasSlash = chr == '/' prevWasSlash = chr == '/'
} }
if rctx == nil { req.URL.Path = sanitizedPath.String()
req.URL.Path = sanitizedPath.String() if rctx != nil {
} else { rctx.RoutePath = req.URL.Path
rctx.RoutePath = sanitizedPath.String()
} }
next.ServeHTTP(resp, req) next.ServeHTTP(resp, req)
}) })

25
routers/common/middleware_test.go
View file

@ -7,6 +7,9 @@ import (
"net/http/httptest" "net/http/httptest"
"testing" "testing"
"code.gitea.io/gitea/modules/web"
chi "github.com/go-chi/chi/v5"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
@ -43,6 +46,11 @@ func TestStripSlashesMiddleware(t *testing.T) {
inputPath: "/user2//repo1/", inputPath: "/user2//repo1/",
expectedPath: "/user2/repo1", expectedPath: "/user2/repo1",
}, },
{
name: "path with slashes in the beginning",
inputPath: "https://codeberg.org//user2/repo1/",
expectedPath: "/user2/repo1",
},
{ {
name: "path with slashes and query params", name: "path with slashes and query params",
inputPath: "/repo//migrate?service_type=3", inputPath: "/repo//migrate?service_type=3",
@ -56,15 +64,22 @@ func TestStripSlashesMiddleware(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
testMiddleware := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { r := web.NewRoute()
r.Use(stripSlashesMiddleware)
called := false
r.Get("*", func(w http.ResponseWriter, r *http.Request) {
assert.Equal(t, tt.expectedPath, r.URL.Path) assert.Equal(t, tt.expectedPath, r.URL.Path)
rctx := chi.RouteContext(r.Context())
assert.Equal(t, tt.expectedPath, rctx.RoutePath)
called = true
}) })
// pass the test middleware to validate the changes
handlerToTest := stripSlashesMiddleware(testMiddleware)
// create a mock request to use // create a mock request to use
req := httptest.NewRequest("GET", tt.inputPath, nil) req := httptest.NewRequest("GET", tt.inputPath, nil)
// call the handler using a mock response recorder r.ServeHTTP(httptest.NewRecorder(), req)
handlerToTest.ServeHTTP(httptest.NewRecorder(), req) assert.True(t, called)
} }
} }

2
services/context/repo.go
View file

@ -1058,7 +1058,7 @@ func RepoRefByType(refType RepoRefType, ignoreNotExistErr ...bool) func(*Context
if refType == RepoRefLegacy { if refType == RepoRefLegacy {
// redirect from old URL scheme to new URL scheme // redirect from old URL scheme to new URL scheme
prefix := strings.TrimPrefix(setting.AppSubURL+strings.ToLower(strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*"))), strings.ToLower(ctx.Repo.RepoLink)) prefix := strings.TrimPrefix(setting.AppSubURL+strings.ToLower(strings.TrimSuffix(ctx.Req.URL.Path, ctx.PathParamRaw("*"))), strings.ToLower(ctx.Repo.RepoLink))
ctx.Redirect(path.Join( ctx.Redirect(path.Join(
ctx.Repo.RepoLink, ctx.Repo.RepoLink,