gitea/services/migrations/common.go

// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package migrations

import (
	"fmt"
	"net/url"
	"strings"

	system_model "gitea.dev/models/system"
	"gitea.dev/modules/git"
	"gitea.dev/modules/log"
	base "gitea.dev/modules/migration"
)

// serviceCloneURLInfo bundles the API base URL and parsed repo path of a clone
// address, hiding scheme conversion (ssh→https) needed for forge API calls.
type serviceCloneURLInfo struct {
	apiURL   *url.URL
	repoPath string
	segments []string
}

// parseServiceCloneURL parses a clone address and returns its API base URL
// (always http/https — ssh/git are promoted to https for API calls) together
// with the repo path and its segments.
func parseServiceCloneURL(cloneAddr string) (*serviceCloneURLInfo, error) {
	u, err := url.Parse(cloneAddr)
	if err != nil {
		return nil, err
	}
	apiURL := *u
	apiURL.User = nil
	apiURL.Path = ""
	apiURL.RawQuery = ""
	apiURL.Fragment = ""
	// Forge APIs are HTTP(S) only; promote ssh/git clone schemes to https.
	if apiURL.Scheme == "ssh" || apiURL.Scheme == "git" {
		apiURL.Scheme = "https"
	}
	repoPath := strings.TrimPrefix(u.Path, "/")
	segments := strings.Split(repoPath, "/")
	return &serviceCloneURLInfo{apiURL: &apiURL, repoPath: repoPath, segments: segments}, nil
}

// WarnAndNotice will log the provided message and send a repository notice
func WarnAndNotice(fmtStr string, args ...any) {
	log.Warn(fmtStr, args...)
	if err := system_model.CreateRepositoryNotice(fmt.Sprintf(fmtStr, args...)); err != nil {
		log.Error("create repository notice failed: ", err)
	}
}

func hasBaseURL(toCheck, baseURL string) bool {
	if len(baseURL) > 0 && baseURL[len(baseURL)-1] != '/' {
		baseURL += "/"
	}
	return strings.HasPrefix(toCheck, baseURL)
}

// CheckAndEnsureSafePR will check that a given PR is safe to download
func CheckAndEnsureSafePR(pr *base.PullRequest, commonCloneBaseURL string, g base.Downloader) bool {
	valid := true
	// SECURITY: the patchURL must be checked to have the same baseURL as the current to prevent open redirect
	if pr.PatchURL != "" && !hasBaseURL(pr.PatchURL, commonCloneBaseURL) {
		// TODO: Should we check that this url has the expected format for a patch url?
		WarnAndNotice("PR #%d in %s has invalid PatchURL: %s baseURL: %s", pr.Number, g, pr.PatchURL, commonCloneBaseURL)
		pr.PatchURL = ""
		valid = false
	}

	// SECURITY: the headCloneURL must be checked to have the same baseURL as the current to prevent open redirect
	if pr.Head.CloneURL != "" && !hasBaseURL(pr.Head.CloneURL, commonCloneBaseURL) {
		// TODO: Should we check that this url has the expected format for a patch url?
		WarnAndNotice("PR #%d in %s has invalid HeadCloneURL: %s baseURL: %s", pr.Number, g, pr.Head.CloneURL, commonCloneBaseURL)
		pr.Head.CloneURL = ""
		valid = false
	}

	// SECURITY: SHAs Must be a SHA
	// FIXME: hash only a SHA1
	CommitType := git.Sha1ObjectFormat
	if pr.MergeCommitSHA != "" && !CommitType.IsValid(pr.MergeCommitSHA) {
		WarnAndNotice("PR #%d in %s has invalid MergeCommitSHA: %s", pr.Number, g, pr.MergeCommitSHA)
		pr.MergeCommitSHA = ""
	}
	if pr.Head.SHA != "" && !CommitType.IsValid(pr.Head.SHA) {
		WarnAndNotice("PR #%d in %s has invalid HeadSHA: %s", pr.Number, g, pr.Head.SHA)
		pr.Head.SHA = ""
		valid = false
	}
	if pr.Base.SHA != "" && !CommitType.IsValid(pr.Base.SHA) {
		WarnAndNotice("PR #%d in %s has invalid BaseSHA: %s", pr.Number, g, pr.Base.SHA)
		pr.Base.SHA = ""
		valid = false
	}

	// SECURITY: Refs must be valid refs or SHAs
	if pr.Head.Ref != "" && !git.IsValidRefPattern(pr.Head.Ref) {
		WarnAndNotice("PR #%d in %s has invalid HeadRef: %s", pr.Number, g, pr.Head.Ref)
		pr.Head.Ref = ""
		valid = false
	}
	if pr.Base.Ref != "" && !git.IsValidRefPattern(pr.Base.Ref) {
		WarnAndNotice("PR #%d in %s has invalid BaseRef: %s", pr.Number, g, pr.Base.Ref)
		pr.Base.Ref = ""
		valid = false
	}

	pr.EnsuredSafe = true

	return valid
}