Skip to content

Commit

Permalink
Add migration to sanitize repository original_url
Browse files Browse the repository at this point in the history
During a large code move in go-gitea#6200 the OriginalURL field was
accidentially changed to be populated with the CloneAddr field which
will contain the username and/or password provided during a migration.

This behavior was fixed in previous PR go-gitea#9097 and this migration will
remove any authentication details that were stored in the database
between those two.
  • Loading branch information
mrsdizzie committed Dec 19, 2019
1 parent 559fb6c commit 0386b80
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 0 deletions.
2 changes: 2 additions & 0 deletions models/migrations/migrations.go
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,8 @@ var migrations = []Migration{
NewMigration("remove release attachments which repository deleted", removeAttachmentMissedRepo),
// v113 -> v114
NewMigration("new feature: change target branch of pull requests", featureChangeTargetBranch),
// v113 -> v114
NewMigration("Remove authentication credentials from stored URL", sanitizeOriginalURL),
}

// Migrate database to current version
Expand Down
60 changes: 60 additions & 0 deletions models/migrations/v114.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package migrations

import (
"net/url"
"strings"

"xorm.io/xorm"
)

func sanitizeOriginalURL(x *xorm.Engine) error {

type Repository struct {
ID int64
OriginalURL string `xorm:"VARCHAR(2048)"`
}

sess := x.NewSession()
defer sess.Close()
var last int
const batchSize = 50
for {
var results = make([]Repository, 0, batchSize)
err := x.Where("original_url <> '' AND original_url IS NOT NULL").
And("original_service_type = 0 OR original_service_type IS NULL").
OrderBy("id").
Limit(batchSize, last).
Find(&results)
if err != nil {
return err
}
if len(results) == 0 {
break
}
last += len(results)

for _, res := range results {
u, err := url.Parse(res.OriginalURL)
if err != nil {
// it is ok to continue here, we only care about fixing URLs that we can read
continue
}

if len(u.User.Username()) > 0 {
pass, _ := u.User.Password()
userAuth := u.User.Username() + ":" + pass + "@"
OriginalURL := strings.Replace(res.OriginalURL, userAuth, "", -1)

_, err = x.Exec("UPDATE repository SET original_url = ? WHERE id = ?", OriginalURL, res.ID)
if err != nil {
return err
}
}
}
}
return nil
}

0 comments on commit 0386b80

Please sign in to comment.