fix: follow symlinks for local assets (#8596)

- This reverts behavior that was partially unintentionally introduced in forgejo/forgejo#8143, symbolic links were no longer followed (if they escaped the asset folder) for local assets. - Having symbolic links for user-added files is, to my understanding, a ,common usecase for NixOS and would thus have symbolic links in the asset folders. Avoiding symbolic links is not easy. - The previous code used `http.Dir`, we cannot use that as it's not of the same type. The equivalent is `os.DirFS`. - Unit test to prevent this regression from happening again. Reported-by: bloxx12 (Matrix). Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8596 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-08-27 04:33:50 +00:00 · 2025-07-22 15:02:47 +02:00 · 2025-07-22 15:02:47 +02:00 · 0c7612bca4
commit 0c7612bca4
parent 65a9c12a1f
2 changed files with 30 additions and 9 deletions
--- a/modules/assetfs/layered_test.go
+++ b/modules/assetfs/layered_test.go
@ -1,4 +1,5 @@
 // Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

 package assetfs
@ -108,3 +109,30 @@ func TestLayered(t *testing.T) {
 	assert.Equal(t, "l1", assets.GetFileLayerName("f1"))
 	assert.Equal(t, "l2", assets.GetFileLayerName("f2"))
 }
+
+// Allow layers to read symlink outside the layer root.
+func TestLayeredSymlink(t *testing.T) {
+	dir := t.TempDir()
+	dirl1 := filepath.Join(dir, "l1")
+	require.NoError(t, os.MkdirAll(dirl1, 0o755))
+
+	// Open layer in dir/l1
+	layer := Local("l1", dirl1)
+
+	// Create a file in dir/outside
+	fileContents := []byte("I am outside the layer")
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "outside"), fileContents, 0o600))
+	// Symlink dir/l1/outside to dir/outside
+	require.NoError(t, os.Symlink(filepath.Join(dir, "outside"), filepath.Join(dirl1, "outside")))
+
+	// Open dir/l1/outside.
+	f, err := layer.Open("outside")
+	require.NoError(t, err)
+	defer f.Close()
+
+	// Confirm it contains the output of dir/outside
+	contents, err := io.ReadAll(f)
+	require.NoError(t, err)
+
+	assert.Equal(t, fileContents, contents)
+}