Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data#36861
Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data#36861wxiaoguang merged 18 commits intogo-gitea:mainfrom
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/go
wxiaoguang
force-pushed
the
fix-url-join
branch
2 times, most recently
from
ed90efe to
3b9cd10
Compare
There was a problem hiding this comment.
Pull request overview
This PR deprecates/removes the ambiguous URLJoin helper from production code and templates, replacing it with more explicit URL construction, while also correcting a few URL-escaping/link-resolution behaviors.
Changes:
- Rename
util.URLJointoutil.URLJoinDeprecatedand migrate remaining usages to either explicit concatenation or the deprecated helper in tests only. - Remove
URLJoinfrom the template func map and update templates to construct URLs without it. - Adjust link resolution logic (
resolveLinkRelative) and improve tag archive URL escaping (ToTag).
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/integration/api_repo_git_tags_test.go | Uses URLJoinDeprecated for tag URL expectation in tests. |
| tests/integration/api_packages_rpm_test.go | Uses URLJoinDeprecated for generated RPM repo config test. |
| templates/user/auth/captcha.tmpl | Replaces template URLJoin usage with string concatenation for Recaptcha script URL. |
| templates/repo/blame.tmpl | Replaces template URLJoin usage with print concatenation for ignore-revs link. |
| templates/package/shared/list.tmpl | Replaces template URLJoin usage with print concatenation for packages URL. |
| services/wiki/wiki_path.go | Constructs wiki HTML URLs via explicit concatenation. |
| services/convert/git_commit_test.go | Updates commit meta URL expectation to URLJoinDeprecated in tests. |
| services/convert/git_commit.go | Replaces util.URLJoin usage with explicit concatenation for commit-related URLs. |
| services/convert/convert.go | Escapes tag archive filenames with url.PathEscape; replaces API URL joins with concatenation. |
| services/context/repo.go | Replaces URLJoin use in canonical URL construction with manual trimming/concatenation. |
| routers/web/repo/wiki.go | Replaces redirect URL join with concatenation. |
| routers/web/repo/editor.go | Replaces redirect URL join with concatenation while preserving segment escaping. |
| modules/util/util_test.go | Switches URL join test to URLJoinDeprecated. |
| modules/util/url.go | Renames URLJoin → URLJoinDeprecated and documents deprecation intent. |
| modules/templates/helper.go | Removes URLJoin from template function map. |
| modules/setting/server.go | Replaces URLJoin usage in MakeAbsoluteAssetURL with string concatenation. |
| modules/recaptcha/recaptcha.go | Builds Recaptcha verification URL via TrimSuffix + constant path. |
| modules/markup/render_link_test.go | Adds/adjusts tests for relative link resolution. |
| modules/markup/render_link.go | Reimplements relative link resolution using net/url + path.Join. |
| modules/markup/markdown/markdown_test.go | Updates test URL joining to URLJoinDeprecated. |
| modules/markup/html_test.go | Updates multiple test URL joins to URLJoinDeprecated. |
| modules/markup/html_mention.go | Replaces URLJoin usage with fmt.Sprintf for team mention links. |
| modules/markup/html_issue.go | Replaces URLJoin usage with fmt.Sprintf for issue links. |
| modules/markup/html_internal_test.go | Updates test URL joins to URLJoinDeprecated. |
| modules/markup/html_commit.go | Replaces URLJoin usage with fmt.Sprintf for commit links. |
| modules/markup/camo.go | Replaces URLJoin usage with manual concatenation for camo proxy URL. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
Maybe completely remove it? I could exercise the LLM to remove it from those remaining tests. |
Next PR. This PR is already quite complex with many changes. |
silverwind
left a comment
silverwind
left a comment
There was a problem hiding this comment.
Written by Claude on behalf of @silverwind
resolveLinkRelative error path drops link (modules/markup/render_link.go): When url.Parse(link) fails, the fallback ignores link entirely:
if err != nil {
finalLink = strings.TrimSuffix(base, "/") + path.Join("/"+cur)
}Should probably still include link, e.g. path.Join("/"+cur, "/"+link).
captcha.tmpl double-slash: The default RECAPTCHA_URL is https://www.google.com/recaptcha/ (trailing slash). The template change {{print .RecaptchaURL "/api.js"}} produces .../recaptcha//api.js. The Go-side change in recaptcha.go does strings.TrimSuffix, but the template doesn't get the same treatment.
Duplicate test assertion in render_link_test.go: Line 314 is identical to line 313 — should be a different case (e.g. testing fragment preservation).
Update: changed my mind, here is not related to "link security". Updated the tests |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 24 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
wxiaoguang
changed the title
wxiaoguang
changed the title
wxiaoguang
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 27 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
GiteaBot
added
lgtm/done
* origin/main: Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin
* main: (26 commits) Clean up `refreshViewedFilesSummary` (go-gitea#36868) Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867) Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin Fix dbfs error handling (go-gitea#36844) Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797) Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798) Fix non-admins unable to automerge PRs from forks (go-gitea#36833) upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837) Fix dump release asset bug (go-gitea#36799) build(deps): update material-icon-theme v5.32.0 (go-gitea#36832) Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465) Fix forwarded proto handling for public URL detection (go-gitea#36810) Fix artifacts v4 backend upload problems (go-gitea#36805) ... # Conflicts: # pnpm-lock.yaml
* giteaofficial/main: Update minimum go version to 1.26.1, golangci-lint to 2.11.2, fix test style (go-gitea#36876) Add render cache for SVG icons (go-gitea#36863) Fix incorrect viewed files counter if reverted change was viewed (go-gitea#36819) [skip ci] Updated translations via Crowdin Clean up `refreshViewedFilesSummary` (go-gitea#36868) Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867) Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin Fix dbfs error handling (go-gitea#36844) Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797) Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
The logic of "URLJoin" is unclear and it is often abused.
Also:
resolveLinkRelativebehaviorToTag