mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-27 00:23:41 +09:00 
			
		
		
		
	Prevent NPE on partial match of compare URL and allow short SHA1 compare URLs (#18472)
* Don't panic & allow shorter sha1 - Don't panic when the full regex isn't matched and allow the usage of a shorter sha1 being used. - Resolves #18471 * Update modules/markup/html.go Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
		| @@ -55,7 +55,7 @@ var ( | |||||||
| 	anySHA1Pattern = regexp.MustCompile(`https?://(?:\S+/){4,5}([0-9a-f]{40})(/[-+~_%.a-zA-Z0-9/]+)?(#[-+~_%.a-zA-Z0-9]+)?`) | 	anySHA1Pattern = regexp.MustCompile(`https?://(?:\S+/){4,5}([0-9a-f]{40})(/[-+~_%.a-zA-Z0-9/]+)?(#[-+~_%.a-zA-Z0-9]+)?`) | ||||||
|  |  | ||||||
| 	// comparePattern matches "http://domain/org/repo/compare/COMMIT1...COMMIT2#hash" | 	// comparePattern matches "http://domain/org/repo/compare/COMMIT1...COMMIT2#hash" | ||||||
| 	comparePattern = regexp.MustCompile(`https?://(?:\S+/){4,5}([0-9a-f]{40})(\.\.\.?)([0-9a-f]{40})?(#[-+~_%.a-zA-Z0-9]+)?`) | 	comparePattern = regexp.MustCompile(`https?://(?:\S+/){4,5}([0-9a-f]{7,40})(\.\.\.?)([0-9a-f]{7,40})?(#[-+~_%.a-zA-Z0-9]+)?`) | ||||||
|  |  | ||||||
| 	validLinksPattern = regexp.MustCompile(`^[a-z][\w-]+://`) | 	validLinksPattern = regexp.MustCompile(`^[a-z][\w-]+://`) | ||||||
|  |  | ||||||
| @@ -946,6 +946,13 @@ func comparePatternProcessor(ctx *RenderContext, node *html.Node) { | |||||||
| 			return | 			return | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|  | 		// Ensure that every group (m[0]...m[7]) has a match | ||||||
|  | 		for i := 0; i < 8; i++ { | ||||||
|  | 			if m[i] == -1 { | ||||||
|  | 				return | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  |  | ||||||
| 		urlFull := node.Data[m[0]:m[1]] | 		urlFull := node.Data[m[0]:m[1]] | ||||||
| 		text1 := base.ShortSha(node.Data[m[2]:m[3]]) | 		text1 := base.ShortSha(node.Data[m[2]:m[3]]) | ||||||
| 		textDots := base.ShortSha(node.Data[m[4]:m[5]]) | 		textDots := base.ShortSha(node.Data[m[4]:m[5]]) | ||||||
|   | |||||||
| @@ -548,3 +548,16 @@ func TestFuzz(t *testing.T) { | |||||||
|  |  | ||||||
| 	assert.NoError(t, err) | 	assert.NoError(t, err) | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func TestIssue18471(t *testing.T) { | ||||||
|  | 	data := `http://domain/org/repo/compare/783b039...da951ce` | ||||||
|  |  | ||||||
|  | 	var res strings.Builder | ||||||
|  | 	err := PostProcess(&RenderContext{ | ||||||
|  | 		URLPrefix: "https://example.com", | ||||||
|  | 		Metas:     localMetas, | ||||||
|  | 	}, strings.NewReader(data), &res) | ||||||
|  |  | ||||||
|  | 	assert.NoError(t, err) | ||||||
|  | 	assert.Equal(t, res.String(), "<a href=\"http://domain/org/repo/compare/783b039...da951ce\" class=\"compare\"><code class=\"nohighlight\">783b039...da951ce</code></a>") | ||||||
|  | } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user