mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-09-12 22:07:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: don't allow credentials in migrate/push mirror URL

Browse source 
Do not allow credentials to be present in the URLs that are provided for
migrations and push mirrors. They have to be given via the dedicated
input fields. Give a error when this happens.

There's nothing wrong with trying have the backend "correct" this, but
would be a larger patch than necessary in the context of a security fix.
This can be done in public.
This commit is contained in:
Gusted 2025-08-21 02:07:50 +02:00 committed by Earl Warren
commit 9f955b300b
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
7 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
models/error.go
View file

@ -121,6 +121,7 @@ type ErrInvalidCloneAddr struct {
IsInvalidPath bool
IsProtocolInvalid bool
IsPermissionDenied bool
HasCredentials bool
LocalPath bool
}
@ -143,6 +144,9 @@ func (err *ErrInvalidCloneAddr) Error() string {
if err.IsURLError {
return fmt.Sprintf("migration/cloning from '%s' is not allowed: the provided url is invalid", err.Host)
}
if err.HasCredentials {
return fmt.Sprintf("migration/cloning from '%s' is not allowed: the provided url contains credentials", err.Host)
}
return fmt.Sprintf("migration/cloning from '%s' is not allowed", err.Host)
}