Browse Source

Safe work

pull/586/head
Unknwon 10 years ago
parent
commit
83283bca4c
  1. 2
      gogs.go
  2. 5
      models/issue.go
  3. 19
      models/repo.go
  4. 8
      models/user.go
  5. 20
      routers/api/v1/repos.go
  6. 2
      templates/.VERSION

2
gogs.go

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting"
)
const APP_VER = "0.5.6.1024 Beta"
const APP_VER = "0.5.6.1025 Beta"
func init() {
runtime.GOMAXPROCS(runtime.NumCPU())

5
models/issue.go

@ -211,7 +211,10 @@ func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sort
if len(labelIds) > 0 {
for _, label := range strings.Split(labelIds, ",") {
sess.And("label_ids like '%$" + label + "|%'")
// Prevent SQL inject.
if com.StrTo(label).MustInt() > 0 {
sess.And("label_ids like '%$" + label + "|%'")
}
}
}

19
models/repo.go

@ -1131,17 +1131,21 @@ type SearchOption struct {
Keyword string
Uid int64
Limit int
Private bool
}
// FilterSQLInject tries to prevent SQL injection.
func FilterSQLInject(key string) string {
key = strings.TrimSpace(key)
key = strings.Split(key, " ")[0]
key = strings.Replace(key, ",", "", -1)
return key
}
// SearchRepositoryByName returns given number of repositories whose name contains keyword.
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
// Prevent SQL inject.
opt.Keyword = strings.TrimSpace(opt.Keyword)
if len(opt.Keyword) == 0 {
return repos, nil
}
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
opt.Keyword = FilterSQLInject(opt.Keyword)
if len(opt.Keyword) == 0 {
return repos, nil
}
@ -1154,6 +1158,9 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
if opt.Uid > 0 {
sess.Where("owner_id=?", opt.Uid)
}
if !opt.Private {
sess.And("is_private=false")
}
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
return repos, err
}

8
models/user.go

@ -574,13 +574,7 @@ func GetUserByEmail(email string) (*User, error) {
// SearchUserByName returns given number of users whose name contains keyword.
func SearchUserByName(opt SearchOption) (us []*User, err error) {
// Prevent SQL inject.
opt.Keyword = strings.TrimSpace(opt.Keyword)
if len(opt.Keyword) == 0 {
return us, nil
}
opt.Keyword = strings.Split(opt.Keyword, " ")[0]
opt.Keyword = FilterSQLInject(opt.Keyword)
if len(opt.Keyword) == 0 {
return us, nil
}

20
routers/api/v1/repos.go

@ -31,6 +31,26 @@ func SearchRepos(ctx *middleware.Context) {
opt.Limit = 10
}
// Check visibility.
if ctx.IsSigned && opt.Uid > 0 {
if ctx.User.Id == opt.Uid {
opt.Private = true
} else {
u, err := models.GetUserById(opt.Uid)
if err != nil {
ctx.JSON(500, map[string]interface{}{
"ok": false,
"error": err.Error(),
})
return
}
if u.IsOrganization() && u.IsOrgOwner(ctx.User.Id) {
opt.Private = true
}
// FIXME: how about collaborators?
}
}
repos, err := models.SearchRepositoryByName(opt)
if err != nil {
ctx.JSON(500, map[string]interface{}{

2
templates/.VERSION

@ -1 +1 @@
0.5.6.1024 Beta
0.5.6.1025 Beta
Loading…
Cancel
Save