From 031b8825a6603fb76e5f46e7b36406114c07d3fb Mon Sep 17 00:00:00 2001 From: Ryan Chan Date: Wed, 10 Jul 2019 21:32:29 +0100 Subject: Fix tree path traversal for repo tree API endpoint Take the path parameter into account by traversing the given tree with the given path from lookup_ref() in repo_tree_GET(). --- gitsrht/blueprints/api.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/gitsrht/blueprints/api.py b/gitsrht/blueprints/api.py index e40ad4f..121b7e0 100644 --- a/gitsrht/blueprints/api.py +++ b/gitsrht/blueprints/api.py @@ -122,7 +122,7 @@ def repo_commits_GET(username, reponame, ref, path): defaults={"ref": None, "path": ""}) @data.route("/api//repos//tree/", defaults={"path": ""}) -@data.route("/api/repos///tree//") +@data.route("/api//repos//tree//") @oauth("data:read") def repo_tree_GET(username, reponame, ref, path): user = get_user(username) @@ -136,6 +136,17 @@ def repo_tree_GET(username, reponame, ref, path): tree = commit else: abort(404) + + path = [p for p in path.split("/") if p] + for part in path: + if not tree or part not in tree: + abort(404) + entry = tree[part] + if entry.type == "blob": + abort(404) + tree = git_repo.get(entry.id) + if not tree: + abort(404) return tree_to_dict(tree) @data.route("/api/repos//annotate", methods=["PUT"]) @@ -170,7 +181,7 @@ def repo_annotate_PUT(username, reponame): defaults={"username": None}) @data.route("/api//blob//blob/", defaults={"path": ""}) -@data.route("/api/repos///blob//") +@data.route("/api//repos//blob//") @oauth("data:read") def repo_blob_GET(username, reponame, ref, path): user = get_user(username) -- cgit v1.2.3