From 1528b64eb8bbb3840b72aa5cd96728686940e442 Mon Sep 17 00:00:00 2001 From: Gusted Date: Mon, 5 May 2025 05:29:55 +0000 Subject: [PATCH] fix: make hash pattern more strict (#7775) - Ensure that the last path is `commit/`, `tree/` or `blob/`. - Resolves forgejo/forgejo#7767 - Follow up forgejo/forgejo#6784 - Added unit test Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7775 Reviewed-by: Earl Warren Co-authored-by: Gusted Co-committed-by: Gusted --- modules/markup/html.go | 2 +- modules/markup/html_internal_test.go | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/markup/html.go b/modules/markup/html.go index 8ea32b6b86..c13ebab98a 100644 --- a/modules/markup/html.go +++ b/modules/markup/html.go @@ -55,7 +55,7 @@ var ( shortLinkPattern = regexp.MustCompile(`\[\[(.*?)\]\](\w*)`) // anyHashPattern splits url containing SHA into parts - anyHashPattern = regexp.MustCompile(`https?://(?:\S+/){4,5}([0-9a-f]{7,64})(/[-+~_%.a-zA-Z0-9/]+)?(\?[-+~_%\.a-zA-Z0-9=&]+)?(#[-+~_%.a-zA-Z0-9]+)?`) + anyHashPattern = regexp.MustCompile(`https?://(?:(?:\S+/){3,4}(?:commit|tree|blob)/)([0-9a-f]{7,64})(/[-+~_%.a-zA-Z0-9/]+)?(\?[-+~_%\.a-zA-Z0-9=&]+)?(#[-+~_%.a-zA-Z0-9]+)?`) // comparePattern matches "http://domain/org/repo/compare/COMMIT1...COMMIT2#hash" comparePattern = regexp.MustCompile(`https?://(?:\S+/){4,5}([0-9a-f]{7,64})(\.\.\.?)([0-9a-f]{7,64})?(#[-+~_%.a-zA-Z0-9]+)?`) diff --git a/modules/markup/html_internal_test.go b/modules/markup/html_internal_test.go index 6a5d3bfa35..08b1fed505 100644 --- a/modules/markup/html_internal_test.go +++ b/modules/markup/html_internal_test.go @@ -469,6 +469,10 @@ func TestRegExp_anySHA1Pattern(t *testing.T) { for k, v := range testCases { assert.Equal(t, anyHashPattern.FindStringSubmatch(k)[1:], v) } + + for _, v := range []string{"https://codeberg.org/forgejo/forgejo/attachments/774421a1-b0ae-4501-8fba-983874b76811"} { + assert.False(t, anyHashPattern.MatchString(v)) + } } func TestRegExp_shortLinkPattern(t *testing.T) {