diff options
author | Ryan Chan <rycwo@posteo.net> | 2019-07-10 21:32:29 +0100 |
---|---|---|
committer | Drew DeVault <sir@cmpwn.com> | 2019-07-10 19:35:53 -0400 |
commit | 031b8825a6603fb76e5f46e7b36406114c07d3fb (patch) | |
tree | cbd3d01a6ea3a0c2621ed0227cb419375e14d867 | |
parent | afe317aca93d46a6e228c25b23fada0d90362816 (diff) |
Fix tree path traversal for repo tree API endpoint
Take the path parameter into account by traversing the given tree with
the given path from lookup_ref() in repo_tree_GET().
-rw-r--r-- | gitsrht/blueprints/api.py | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/gitsrht/blueprints/api.py b/gitsrht/blueprints/api.py index e40ad4f..121b7e0 100644 --- a/gitsrht/blueprints/api.py +++ b/gitsrht/blueprints/api.py @@ -122,7 +122,7 @@ def repo_commits_GET(username, reponame, ref, path): defaults={"ref": None, "path": ""}) @data.route("/api/<username>/repos/<reponame>/tree/<path:ref>", defaults={"path": ""}) -@data.route("/api/repos/<username>/<reponame>/tree/<ref>/<path:path>") +@data.route("/api/<username>/repos/<reponame>/tree/<ref>/<path:path>") @oauth("data:read") def repo_tree_GET(username, reponame, ref, path): user = get_user(username) @@ -136,6 +136,17 @@ def repo_tree_GET(username, reponame, ref, path): tree = commit else: abort(404) + + path = [p for p in path.split("/") if p] + for part in path: + if not tree or part not in tree: + abort(404) + entry = tree[part] + if entry.type == "blob": + abort(404) + tree = git_repo.get(entry.id) + if not tree: + abort(404) return tree_to_dict(tree) @data.route("/api/repos/<reponame>/annotate", methods=["PUT"]) @@ -170,7 +181,7 @@ def repo_annotate_PUT(username, reponame): defaults={"username": None}) @data.route("/api/<username>/blob/<reponame>/blob/<path:ref>", defaults={"path": ""}) -@data.route("/api/repos/<username>/<reponame>/blob/<ref>/<path:path>") +@data.route("/api/<username>/repos/<reponame>/blob/<ref>/<path:path>") @oauth("data:read") def repo_blob_GET(username, reponame, ref, path): user = get_user(username) |