Fix tree/raw redirection and disallow slashes in their path segments
// SPDX-License-Identifier: AGPL-3.0-only
// SPDX-FileContributor: Runxi Yu <https://runxiyu.org>
package main
import (
"net/http"
)
func errorPage404(w http.ResponseWriter, params map[string]any) {
w.WriteHeader(404)
_ = templates.ExecuteTemplate(w, "404", params)
}
func errorPage400(w http.ResponseWriter, params map[string]any, msg string) {
w.WriteHeader(400)
params["bad_request_msg"] = msg
_ = templates.ExecuteTemplate(w, "400", params)
}
// SPDX-License-Identifier: AGPL-3.0-only // SPDX-FileContributor: Runxi Yu <https://runxiyu.org> package main import ( "fmt" "net/http"
"path"
"strings"
"github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/plumbing"
"github.com/go-git/go-git/v5/plumbing/object"
)
func httpHandleRepoRaw(w http.ResponseWriter, r *http.Request, params map[string]any) {
var rawPathSpec, pathSpec string
var repo *git.Repository
var refHash plumbing.Hash
var commitObj *object.Commit
var tree *object.Tree
var err error
rawPathSpec = params["rest"].(string)
repo, pathSpec = params["repo"].(*git.Repository), strings.TrimSuffix(rawPathSpec, "/")
params["path_spec"] = pathSpec
if refHash, err = getRefHash(repo, params["ref_type"].(string), params["ref_name"].(string)); err != nil {
http.Error(w, "Error getting ref hash: "+err.Error(), http.StatusInternalServerError)
return
}
if commitObj, err = repo.CommitObject(refHash); err != nil {
http.Error(w, "Error getting commit object: "+err.Error(), http.StatusInternalServerError)
return
}
if tree, err = commitObj.Tree(); err != nil {
http.Error(w, "Error getting file tree: "+err.Error(), http.StatusInternalServerError)
return
}
var target *object.Tree
if pathSpec == "" {
target = tree
} else {
if target, err = tree.Tree(pathSpec); err != nil {
var file *object.File
var fileContent string
if file, err = tree.File(pathSpec); err != nil {
http.Error(w, "Error retrieving path: "+err.Error(), http.StatusInternalServerError)
return
}
if len(rawPathSpec) != 0 && rawPathSpec[len(rawPathSpec)-1] == '/' {
http.Redirect(w, r, "../"+pathSpec, http.StatusSeeOther)
if redirectNoDir(w, r) {
return
}
if fileContent, err = file.Contents(); err != nil {
http.Error(w, "Error reading file: "+err.Error(), http.StatusInternalServerError)
return
}
fmt.Fprint(w, fileContent)
return
}
}
if len(rawPathSpec) != 0 && rawPathSpec[len(rawPathSpec)-1] != '/' {
http.Redirect(w, r, path.Base(pathSpec)+"/", http.StatusSeeOther)
if redirectDir(w, r) {
return } params["files"] = makeDisplayTree(target) renderTemplate(w, "repo_raw_dir", params) }
// SPDX-License-Identifier: AGPL-3.0-only
// SPDX-FileContributor: Runxi Yu <https://runxiyu.org>
package main
import (
"bytes"
"html/template"
"net/http"
"path"
"strings"
"github.com/alecthomas/chroma/v2"
chromaHTML "github.com/alecthomas/chroma/v2/formatters/html"
chromaLexers "github.com/alecthomas/chroma/v2/lexers"
chromaStyles "github.com/alecthomas/chroma/v2/styles"
"github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/plumbing"
"github.com/go-git/go-git/v5/plumbing/object"
)
func httpHandleRepoTree(w http.ResponseWriter, r *http.Request, params map[string]any) {
var rawPathSpec, pathSpec string
var repo *git.Repository
var refHash plumbing.Hash
var commitObject *object.Commit
var tree *object.Tree
var err error
rawPathSpec = params["rest"].(string)
repo, pathSpec = params["repo"].(*git.Repository), strings.TrimSuffix(rawPathSpec, "/")
params["path_spec"] = pathSpec
if refHash, err = getRefHash(repo, params["ref_type"].(string), params["ref_name"].(string)); err != nil {
http.Error(w, "Error getting ref hash: "+err.Error(), http.StatusInternalServerError)
return
}
if commitObject, err = repo.CommitObject(refHash); err != nil {
http.Error(w, "Error getting commit object: "+err.Error(), http.StatusInternalServerError)
return
}
if tree, err = commitObject.Tree(); err != nil {
http.Error(w, "Error getting file tree: "+err.Error(), http.StatusInternalServerError)
return
}
var target *object.Tree
if pathSpec == "" {
target = tree
} else {
if target, err = tree.Tree(pathSpec); err != nil {
var file *object.File
var fileContent string
var lexer chroma.Lexer
var iterator chroma.Iterator
var style *chroma.Style
var formatter *chromaHTML.Formatter
var formattedHTML template.HTML
if file, err = tree.File(pathSpec); err != nil {
http.Error(w, "Error retrieving path: "+err.Error(), http.StatusInternalServerError)
return
}
if len(rawPathSpec) != 0 && rawPathSpec[len(rawPathSpec)-1] == '/' {
http.Redirect(w, r, "../"+pathSpec, http.StatusSeeOther)
if redirectNoDir(w, r) {
return
}
if fileContent, err = file.Contents(); err != nil {
http.Error(w, "Error reading file: "+err.Error(), http.StatusInternalServerError)
return
}
lexer = chromaLexers.Match(pathSpec)
if lexer == nil {
lexer = chromaLexers.Fallback
}
if iterator, err = lexer.Tokenise(nil, fileContent); err != nil {
http.Error(w, "Error tokenizing code: "+err.Error(), http.StatusInternalServerError)
return
}
var formattedHTMLStr bytes.Buffer
style = chromaStyles.Get("autumn")
formatter = chromaHTML.New(chromaHTML.WithClasses(true), chromaHTML.TabWidth(8))
if err = formatter.Format(&formattedHTMLStr, style, iterator); err != nil {
http.Error(w, "Error formatting code: "+err.Error(), http.StatusInternalServerError)
return
}
formattedHTML = template.HTML(formattedHTMLStr.Bytes()) //#nosec G203
params["file_contents"] = formattedHTML
renderTemplate(w, "repo_tree_file", params)
return
}
}
if len(rawPathSpec) != 0 && rawPathSpec[len(rawPathSpec)-1] != '/' {
http.Redirect(w, r, path.Base(pathSpec)+"/", http.StatusSeeOther)
return
}
params["readme_filename"], params["readme"] = renderReadmeAtTree(target)
params["files"] = makeDisplayTree(target)
renderTemplate(w, "repo_tree_dir", params)
}
// SPDX-License-Identifier: AGPL-3.0-only
// SPDX-FileContributor: Runxi Yu <https://runxiyu.org>
package main
import (
"errors"
"net/http"
"strconv"
"strings"
"github.com/jackc/pgx/v5"
"go.lindenii.runxiyu.org/lindenii-common/clog"
)
type forgeHTTPRouter struct{}
func (router *forgeHTTPRouter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
clog.Info("Incoming HTTP: " + r.RemoteAddr + " " + r.Method + " " + r.RequestURI)
var segments []string
var err error
var sepIndex int
params := make(map[string]any)
if segments, _, err = parseReqURI(r.RequestURI); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if segments[len(segments)-1] == "" {
// Might assign a trailing bool here
segments = segments[:len(segments)-1]
}
params["url_segments"] = segments
params["global"] = globalData
var userID int // 0 for none
userID, params["username"], err = getUserFromRequest(r)
params["user_id"] = userID
if errors.Is(err, http.ErrNoCookie) {
} else if errors.Is(err, pgx.ErrNoRows) {
} else if err != nil {
http.Error(w, "Error getting user info from request: "+err.Error(), http.StatusInternalServerError)
return
}
if userID == 0 {
params["user_id_string"] = ""
} else {
params["user_id_string"] = strconv.Itoa(userID)
}
if len(segments) == 0 {
httpHandleIndex(w, r, params)
return
}
if segments[0] == ":" {
if len(segments) < 2 {
errorPage404(w, params)
return
} else if len(segments) == 2 && redirectDir(w, r) {
return
}
switch segments[1] {
case "static":
staticHandler.ServeHTTP(w, r)
return
case "source":
sourceHandler.ServeHTTP(w, r)
return
}
}
if segments[0] == ":" {
switch segments[1] {
case "login":
httpHandleLogin(w, r, params)
return
case "users":
httpHandleUsers(w, r, params)
return
case "gc":
httpHandleGC(w, r, params)
return
default:
errorPage404(w, params)
return
}
}
sepIndex = -1
for i, part := range segments {
if part == ":" {
sepIndex = i
break
}
}
params["separator_index"] = sepIndex
var groupPath []string
var moduleType string
var moduleName string
if sepIndex > 0 {
groupPath = segments[:sepIndex]
} else {
groupPath = segments
}
params["group_path"] = groupPath
switch {
case sepIndex == -1:
if redirectDir(w, r) {
return
}
httpHandleGroupIndex(w, r, params)
case len(segments) == sepIndex+1:
errorPage404(w, params)
return
case len(segments) == sepIndex+2:
errorPage404(w, params)
return
default:
moduleType = segments[sepIndex+1]
moduleName = segments[sepIndex+2]
switch moduleType {
case "repos":
params["repo_name"] = moduleName
if len(segments) > sepIndex+3 {
switch segments[sepIndex+3] {
case "info":
if err = httpHandleRepoInfo(w, r, params); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
return
case "git-upload-pack":
if err = httpHandleUploadPack(w, r, params); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
return
}
}
if params["ref_type"], params["ref_name"], err = getParamRefTypeName(r); err != nil {
if errors.Is(err, errNoRefSpec) {
params["ref_type"] = ""
} else {
http.Error(w, "Error querying ref type: "+err.Error(), http.StatusInternalServerError)
return
}
}
// TODO: subgroups
if params["repo"], params["repo_description"], params["repo_id"], err = openRepo(r.Context(), groupPath, moduleName); err != nil {
http.Error(w, "Error opening repo: "+err.Error(), http.StatusInternalServerError)
return
}
if len(segments) == sepIndex+3 {
if redirectDir(w, r) {
return
}
httpHandleRepoIndex(w, r, params)
return
}
repoFeature := segments[sepIndex+3]
switch repoFeature {
case "tree":
if anyContain(segments[sepIndex+4:], "/") {
errorPage400(w, params, "Repo tree paths may not contain slashes in any segments")
return
}
params["rest"] = strings.Join(segments[sepIndex+4:], "/")
if len(segments) < sepIndex+5 && redirectDir(w, r) {
return
}
httpHandleRepoTree(w, r, params)
case "raw":
if anyContain(segments[sepIndex+4:], "/") {
errorPage400(w, params, "Repo tree paths may not contain slashes in any segments")
return
}
params["rest"] = strings.Join(segments[sepIndex+4:], "/")
if len(segments) < sepIndex+5 && redirectDir(w, r) {
return
}
httpHandleRepoRaw(w, r, params)
case "log":
if len(segments) > sepIndex+4 {
http.Error(w, "Too many parameters", http.StatusBadRequest)
return
}
if redirectDir(w, r) {
return
}
httpHandleRepoLog(w, r, params)
case "commit":
if redirectNoDir(w, r) {
return
}
params["commit_id"] = segments[sepIndex+4]
httpHandleRepoCommit(w, r, params)
case "contrib":
if redirectDir(w, r) {
return
}
switch len(segments) {
case sepIndex + 4:
httpHandleRepoContribIndex(w, r, params)
case sepIndex + 5:
params["mr_id"] = segments[sepIndex+4]
httpHandleRepoContribOne(w, r, params)
default:
http.Error(w, "Too many parameters", http.StatusBadRequest)
}
default:
errorPage404(w, params)
return
}
default:
errorPage404(w, params)
return
}
}
}
{{/*
SPDX-License-Identifier: AGPL-3.0-only
SPDX-FileContributor: Runxi Yu <https://runxiyu.org>
*/}}
{{- define "400" -}}
<!DOCTYPE html>
<html lang="en">
<head>
{{- template "head_common" . -}}
<title>400 Bad Request – {{ .global.forge_title }}</title>
</head>
<body class="400">
{{- template "header" . -}}
<div class="padding-wrapper complete-error-page">
<h1>400 Bad Request</h1>
<p>{{- .bad_request_msg -}}</p>
<hr />
<address>Lindenii Forge</address>
</div>
<footer>
{{- template "footer" . -}}
</footer>
</body>
</html>
{{- end -}}
// SPDX-License-Identifier: AGPL-3.0-only
// SPDX-FileContributor: Runxi Yu <https://runxiyu.org>
package main
import (
"errors"
"net/http"
"net/url"
"strings"
)
var (
errDupRefSpec = errors.New("duplicate ref spec")
errNoRefSpec = errors.New("no ref spec")
)
func getParamRefTypeName(r *http.Request) (retRefType, retRefName string, err error) {
qr := r.URL.RawQuery
q, err := url.ParseQuery(qr)
if err != nil {
return
}
done := false
for _, refType := range []string{"commit", "branch", "tag"} {
refName, ok := q[refType]
if ok {
if done {
err = errDupRefSpec
return
}
done = true
if len(refName) != 1 {
err = errDupRefSpec
return
}
retRefName = refName[0]
retRefType = refType
}
}
if !done {
err = errNoRefSpec
}
return
}
func parseReqURI(requestURI string) (segments []string, params url.Values, err error) {
path, paramsStr, _ := strings.Cut(requestURI, "?")
segments = strings.Split(strings.TrimPrefix(path, "/"), "/")
for i, segment := range segments {
segments[i], err = url.PathUnescape(segment)
if err != nil {
return
}
}
params, err = url.ParseQuery(paramsStr)
return
}
func redirectDir(w http.ResponseWriter, r *http.Request) bool {
requestURI := r.RequestURI
pathEnd := strings.IndexAny(requestURI, "?#")
var path, rest string
if pathEnd == -1 {
path = requestURI
} else {
path = requestURI[:pathEnd]
rest = requestURI[pathEnd:]
}
if !strings.HasSuffix(path, "/") {
http.Redirect(w, r, path+"/"+rest, http.StatusSeeOther)
return true
}
return false
}
func redirectNoDir(w http.ResponseWriter, r *http.Request) bool {
requestURI := r.RequestURI
pathEnd := strings.IndexAny(requestURI, "?#")
var path, rest string
if pathEnd == -1 {
path = requestURI
} else {
path = requestURI[:pathEnd]
rest = requestURI[pathEnd:]
}
if strings.HasSuffix(path, "/") {
http.Redirect(w, r, strings.TrimSuffix(path, "/")+rest, http.StatusSeeOther)
return true
}
return false
}
func redirectUnconditionally(w http.ResponseWriter, r *http.Request) {
requestURI := r.RequestURI
pathEnd := strings.IndexAny(requestURI, "?#")
var path, rest string
if pathEnd == -1 {
path = requestURI
} else {
path = requestURI[:pathEnd]
rest = requestURI[pathEnd:]
}
http.Redirect(w, r, path+rest, http.StatusSeeOther)
}
func segmentsToURL(segments []string) string {
for i, segment := range segments {
segments[i] = url.PathEscape(segment)
}
return strings.Join(segments, "/")
}
func anyContain(ss []string, c string) bool {
for _, s := range ss {
if strings.Contains(s, c) {
return true
}
}
return false
}