From a88564b8bc9872d4bf11062a4ebcb2f42b702200 Mon Sep 17 00:00:00 2001 From: Gary Kim Date: Wed, 31 Jul 2019 10:33:40 +0800 Subject: [PATCH] Check that hashes are commits before making them links Signed-off-by: Gary Kim --- models/repo.go | 5 +++-- modules/markup/html.go | 9 +++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/models/repo.go b/models/repo.go index 501a2c9120..a30508b495 100644 --- a/models/repo.go +++ b/models/repo.go @@ -508,8 +508,9 @@ func (repo *Repository) mustOwnerName(e Engine) string { func (repo *Repository) ComposeMetas() map[string]string { if repo.ExternalMetas == nil { repo.ExternalMetas = map[string]string{ - "user": repo.MustOwner().Name, - "repo": repo.Name, + "user": repo.MustOwner().Name, + "repo": repo.Name, + "repoPath": repo.RepoPath(), } unit, err := repo.GetUnit(UnitTypeExternalTracker) if err != nil { diff --git a/modules/markup/html.go b/modules/markup/html.go index 825a41dd1f..a3db925f76 100644 --- a/modules/markup/html.go +++ b/modules/markup/html.go @@ -13,6 +13,7 @@ import ( "strings" "code.gitea.io/gitea/modules/base" + "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" @@ -657,6 +658,14 @@ func sha1CurrentPatternProcessor(ctx *postProcessCtx, node *html.Node) { // but that is not always the case. // Although unlikely, deadbeef and 1234567 are valid short forms of SHA1 hash // as used by git and github for linking and thus we have to do similar. + // Because of this, we check to make sure that a matched hash is actually + // a commit in the repository before making it a link. + if ctx.metas["repoPath"] != "" { + if _, err := git.NewCommand("log", "-1", hash).RunInDirBytes(ctx.metas["repoPath"]); err != nil { + return + } + } + replaceContent(node, m[2], m[3], createCodeLink(util.URLJoin(setting.AppURL, ctx.metas["user"], ctx.metas["repo"], "commit", hash), base.ShortSha(hash))) }