0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-11-25 00:12:52 +01:00
gitea/modules/context
zeripath e77b76425e
Prepend refs/heads/ to issue template refs (#20461)
Fix #20456

At some point during the 1.17 cycle abbreviated refishs to issue
branches started breaking. This is likely due serious inconsistencies in
our management of refs throughout Gitea - which is a bug needing to be
addressed in a different PR. (Likely more than one)

We should try to use non-abbreviated `fullref`s as much as possible.
That is where a user has inputted a abbreviated `refish` we should add
`refs/heads/` if it is `branch` etc. I know people keep writing and
merging PRs that remove prefixes from stored content but it is just
wrong and it keeps causing problems like this. We should only remove the
prefix at the time of
presentation as the prefix is the only way of knowing umambiguously and
permanently if the `ref` is referring to a `branch`, `tag` or `commit` /
`SHA`. We need to make it so that every ref has the appropriate prefix,
and probably also need to come up with some definitely unambiguous way
of storing `SHA`s if they're used in a `ref` or `refish` field. We must
not store a potentially
ambiguous `refish` as a `ref`. (Especially when referring a `tag` -
there is no reason why users cannot create a `branch` with the same
short name as a `tag` and vice versa and any attempt to prevent this
will fail. You can even create a `branch` and a
`tag` that matches the `SHA` pattern.)

To that end in order to fix this bug, when parsing issue templates check
the provided `Ref` (here a `refish` because almost all users do not know
or understand the subtly), if it does not start with `refs/` add the
`BranchPrefix` to it. This allows people to make their templates refer
to a `tag` but not to a `SHA` directly. (I don't think that is
particularly unreasonable but if people disagree I can make the `refish`
be checked to see if it matches the `SHA` pattern.)

Next we need to handle the issue links that are already written. The
links here are created with `git.RefURL`

Here we see there is a bug introduced in #17551 whereby the provided
`ref` argument can be double-escaped so we remove the incorrect external
escape. (The escape added in #17551 is in the right place -
unfortunately I missed that the calling function was doing the wrong
thing.)

Then within `RefURL()` we check if an unprefixed `ref` (therefore
potentially a `refish`) matches the `SHA` pattern before assuming that
is actually a `commit` - otherwise is assumed to be a `branch`. This
will handle most of the problem cases excepting the very unusual cases
where someone has deliberately written a `branch` to look like a `SHA1`.

But please if something is called a `ref` or interpreted as a `ref` make
it a full-ref before storing or using it. By all means if something is a
`branch` assume the prefix is removed but always add it back in if you
are using it as a `ref`. Stop storing abbreviated `branch` names and
`tag` names - which are `refish` as a `ref`. It will keep on causing
problems like this.

Fix #20456

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-22 20:58:49 +08:00
..
access_log.go Pass down SignedUserName down to AccessLogger context (#16605) 2021-08-04 13:26:30 -04:00
api.go Add Cache-Control header to html and api responses, add no-transform (#20432) 2022-07-23 14:38:03 +08:00
api_org.go Move organization related structs into sub package (#18518) 2022-03-29 14:29:02 +08:00
api_test.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
auth.go Respond with a 401 on git push when password isn't changed yet (#20026) 2022-06-19 20:23:00 +01:00
captcha.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
context.go Fix setting HTTP headers after write (#21833) 2022-11-18 01:55:15 +08:00
csrf.go Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) 2022-04-08 13:21:05 +08:00
form.go Add config options to hide issue events (#17414) 2022-01-21 18:59:26 +01:00
org.go Add user/organization code search (#19977) 2022-10-11 00:12:03 +01:00
package.go Fix package access for admins and inactive users (#21580) 2022-10-24 22:23:25 +03:00
pagination.go Remove tab/TabName usage where it's not needed (#19973) 2022-06-15 23:05:32 +08:00
permission.go Move access and repo permission to models/perm/access (#19350) 2022-05-11 12:09:36 +02:00
private.go Add more linters to improve code readability (#19989) 2022-06-20 12:02:49 +02:00
repo.go Prepend refs/heads/ to issue template refs (#20461) 2022-11-22 20:58:49 +08:00
response.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
utils.go Add more linters to improve code readability (#19989) 2022-06-20 12:02:49 +02:00
xsrf.go Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) 2022-04-08 13:21:05 +08:00
xsrf_test.go Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337) 2022-04-08 13:21:05 +08:00