Fix template path possible symlink

services/repository/generate.go

@@ -178,6 +178,9 @@ func substGiteaTemplateFile(ctx context.Context, tmpDir, tmpDirSubPath string, t
 	generatedContent := generateExpansion(ctx, string(content), templateRepo, generateRepo)
 	substSubPath := filePathSanitize(generateExpansion(ctx, tmpDirSubPath, templateRepo, generateRepo))
 	newLocalPath := filepath.Join(tmpDir, substSubPath)
+	if err := ensureNoSymlinkInPath(tmpDir, newLocalPath); err != nil {
+		return nil
+	}
 	regular, err := util.IsRegularFile(newLocalPath)
 	if canWrite := regular || errors.Is(err, fs.ErrNotExist); !canWrite {
 		return nil
@@ -337,3 +340,38 @@ func filePathSanitize(s string) string {
 	}
 	return filepath.Clean(filepath.FromSlash(strings.Trim(strings.Join(fields, "/"), "/")))
 }
+
+func ensureNoSymlinkInPath(baseDir, targetPath string) error {
+	relPath, err := filepath.Rel(baseDir, targetPath)
+	if err != nil {
+		return err
+	}
+	if relPath == "." {
+		return nil
+	}
+	if relPath == ".." || strings.HasPrefix(relPath, ".."+string(filepath.Separator)) {
+		return fmt.Errorf("path escapes base directory: %s", targetPath)
+	}
+
+	current := baseDir
+	for part := range strings.SplitSeq(relPath, string(filepath.Separator)) {
+		if part == "" || part == "." {
+			continue
+		}
+		current = filepath.Join(current, part)
+		info, err := os.Lstat(current)
+		if err != nil {
+			if errors.Is(err, fs.ErrNotExist) {
+				return nil
+			}
+			return err
+		}
+		if info.Mode()&os.ModeSymlink != 0 {
+			return fmt.Errorf("path contains symlink: %s", current)
+		}
+		if !info.IsDir() {
+			return nil
+		}
+	}
+	return nil
+}

services/repository/generate_test.go

@@ -87,6 +87,16 @@ func TestProcessGiteaTemplateFile(t *testing.T) {
 		assert.Equal(t, expected, string(data), "file content mismatch for %s", path)
 	}
 
+	assertAbsFileContent := func(path, expected string) {
+		data, err := os.ReadFile(path)
+		if expected == "" {
+			assert.ErrorIs(t, err, os.ErrNotExist)
+			return
+		}
+		require.NoError(t, err)
+		assert.Equal(t, expected, string(data), "file content mismatch for %s", path)
+	}
+
 	assertSymLink := func(path, expected string) {
 		link, err := os.Readlink(filepath.Join(tmpDir, path))
 		if expected == "" {
@@ -98,7 +108,7 @@ func TestProcessGiteaTemplateFile(t *testing.T) {
 	}
 
 	require.NoError(t, os.MkdirAll(tmpDir+"/.gitea", 0o755))
-	require.NoError(t, os.WriteFile(tmpDir+"/.gitea/template", []byte("*\ninclude/**"), 0o644))
+	require.NoError(t, os.WriteFile(tmpDir+"/.gitea/template", []byte("*\ninclude/**\n**/hook"), 0o644))
 	require.NoError(t, os.MkdirAll(tmpDir+"/sub", 0o755))
 	require.NoError(t, os.MkdirAll(tmpDir+"/include/foo/bar", 0o755))
 
@@ -139,6 +149,15 @@ func TestProcessGiteaTemplateFile(t *testing.T) {
 		assertSubstTemplateName("dummy subst template name normal", "dummy subst template name to link", "link target content from ${TEMPLATE_NAME}")
 	}
 
+	// case-5
+	outsideDir := t.TempDir()
+	{
+		require.NoError(t, os.MkdirAll(tmpDir+"/subst-${TEMPLATE_NAME}-via-link", 0o755))
+		require.NoError(t, os.WriteFile(tmpDir+"/subst-${TEMPLATE_NAME}-via-link/hook", []byte("hook content ${TEMPLATE_NAME}"), 0o644))
+		require.NoError(t, os.WriteFile(filepath.Join(outsideDir, "hook"), []byte("outside hook"), 0o644))
+		require.NoError(t, os.Symlink(outsideDir, tmpDir+"/subst-TemplateRepoName-via-link"))
+	}
+
 	// process the template files
 	{
 		templateRepo := &repo_model.Repository{Name: "TemplateRepoName"}
@@ -182,6 +201,13 @@ func TestProcessGiteaTemplateFile(t *testing.T) {
 		assertSymLink("subst-${TEMPLATE_NAME}-from-link", tmpDir+"/sub/link-target")
 	}
 
+	// case-5
+	{
+		assertFileContent("subst-${TEMPLATE_NAME}-via-link/hook", "")
+		assertSymLink("subst-TemplateRepoName-via-link", outsideDir)
+		assertAbsFileContent(filepath.Join(outsideDir, "hook"), "outside hook")
+	}
+
 	{
 		templateFilePath := tmpDir + "/.gitea/template"