Skip to content

Fix path resolving#36734

Merged
lunny merged 5 commits intogo-gitea:mainfrom
wxiaoguang:fix-git-tmpl-path
Feb 25, 2026
Merged

Fix path resolving#36734
lunny merged 5 commits intogo-gitea:mainfrom
wxiaoguang:fix-git-tmpl-path

Conversation

@wxiaoguang
Copy link
Copy Markdown
Contributor

@wxiaoguang wxiaoguang commented Feb 24, 2026

No description provided.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Feb 24, 2026
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Feb 24, 2026
@wxiaoguang wxiaoguang mentioned this pull request Feb 24, 2026
Closed
@wxiaoguang wxiaoguang changed the title Fix path reoslving Fix path resolving Feb 24, 2026
@wxiaoguang wxiaoguang requested a review from Copilot February 24, 2026 06:46
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens path resolution when processing .gitea/template rules during repository generation by ensuring template file reads/writes only operate on regular (non-symlink) paths, and adds tests to cover the new behavior.

Changes:

  • Replace ad-hoc file reads/writes in template processing with new util.ReadRegularPathFile / util.WriteRegularPathFile helpers.
  • Add test coverage for safe “regular path file” read/write behavior (reject symlinks, constrain traversal).
  • Update repository template processing tests to ensure .git contents aren’t left behind/modified.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
services/repository/generate.go Uses new safe path helpers for template processing and adds .git cleanup behavior.
services/repository/generate_test.go Extends template-processing test setup/assertions to cover .git/config.
modules/util/path.go Introduces exported safe file read/write helpers that reject non-regular paths.
modules/util/path_test.go Adds tests validating the new safe read/write behavior, including symlink rejection.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@wxiaoguang wxiaoguang added type/bug backport/v1.25 This PR should be backported to Gitea 1.25 labels Feb 24, 2026
@wxiaoguang wxiaoguang force-pushed the fix-git-tmpl-path branch 4 times, most recently from 9579a9b to e532ed8 Compare February 24, 2026 07:46
@wxiaoguang wxiaoguang requested a review from Copilot February 24, 2026 07:55
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 24, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 24, 2026
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Feb 24, 2026
@lunny lunny enabled auto-merge (squash) February 25, 2026 01:16
@lunny lunny merged commit 2176e84 into go-gitea:main Feb 25, 2026
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Feb 25, 2026
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Feb 25, 2026
@wxiaoguang @GiteaBot
Fix path resolving (go-gitea#36734)
5ba83a1
@GiteaBot GiteaBot mentioned this pull request Feb 25, 2026
Merged
@GiteaBot GiteaBot added backport/done All backports for this PR have been created and removed reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Feb 25, 2026
zjjhot added a commit to zjjhot/gitea that referenced this pull request Feb 25, 2026
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
725a936 
* giteaofficial/main:
  Fix path resolving (go-gitea#36734)
  [skip ci] Updated translations via Crowdin
  Fix track time list permission check (go-gitea#36662)
  Fix incorrect setting loading order (go-gitea#36735)
  Use case-insensitive matching for Git error "Not a valid object name" (go-gitea#36728)
  feat: Add workflow dependencies visualization (go-gitea#36248)
@wxiaoguang wxiaoguang deleted the fix-git-tmpl-path branch February 25, 2026 04:10
wxiaoguang added a commit that referenced this pull request Feb 25, 2026
@GiteaBot @wxiaoguang
Fix path resolving (#36734) (#36746)
5796159 
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@wxiaoguang wxiaoguang added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Feb 25, 2026
silverwind added a commit to silverwind/gitea that referenced this pull request Feb 26, 2026
@silverwind
Merge branch 'main' into dropdowncss
0be7aea 
* main: (24 commits)
  Instance-wide (global) info banner and maintenance mode (go-gitea#36571)
  Add created_by filter to SearchIssues (go-gitea#36670)
  Inline and lazy-load EasyMDE CSS, fix border colors (go-gitea#36714)
  Fix release draft access check logic (go-gitea#36720)
  Change image transparency grid to CSS (go-gitea#36711)
  Avoid opening new tab when downloading actions logs (go-gitea#36740)
  Add validation constraints for repository creation fields (go-gitea#36671)
  Fix SVG height calculation in diff viewer (go-gitea#36748)
  Fix path resolving (go-gitea#36734)
  [skip ci] Updated translations via Crowdin
  Fix track time list permission check (go-gitea#36662)
  Fix incorrect setting loading order (go-gitea#36735)
  Use case-insensitive matching for Git error "Not a valid object name" (go-gitea#36728)
  feat: Add workflow dependencies visualization (go-gitea#36248)
  Add keyboard shortcuts for repository file and code search (go-gitea#36416)
  Refactor text utility classes to Tailwind CSS (go-gitea#36703)
  Prevent redirect bypasses via backslash-encoded paths (go-gitea#36660)
  Fix force push time-line commit comments of pull request (go-gitea#36653)
  Fix get release draft permission check (go-gitea#36659)
  Move `X_FRAME_OPTIONS` setting from `cors` to `security` section (go-gitea#30256)
  ...

# Conflicts:
#	web_src/css/base.css
#	web_src/css/index.css
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lunny lunny lunny approved these changes

@Zettat123 Zettat123 Zettat123 approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/v1.25 This PR should be backported to Gitea 1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

5 participants

@wxiaoguang @lunny @Zettat123 @GiteaBot