Sanitize credentials in mirror form (#9975)

6 years ago · a67c06ce90
--- a/models/repo.go
+++ b/models/repo.go
@@ -197,6 +197,14 @@ type Repository struct {
 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
 }
 // SanitizedOriginalURL returns a sanitized OriginalURL
 func (repo *Repository) SanitizedOriginalURL() string {
 	if repo.OriginalURL == "" {
 		return ""
 	}
 	return util.SanitizeURLCredentials(repo.OriginalURL, false)
 }
 // ColorFormat returns a colored string to represent this repo
 func (repo *Repository) ColorFormat(s fmt.State) {
 	var ownerName interface{}
--- a/modules/util/sanitize.go
+++ b/modules/util/sanitize.go
@@ -7,6 +7,8 @@ package util
 import (
 	"net/url"
 	"strings"
 	"code.gitea.io/gitea/modules/log"
 )
 // urlSafeError wraps an error whose message may contain a sensitive URL
@@ -36,6 +38,7 @@ func SanitizeMessage(message, unsanitizedURL string) string {
 func SanitizeURLCredentials(unsanitizedURL string, usePlaceholder bool) string {
 	u, err := url.Parse(unsanitizedURL)
 	if err != nil {
 		log.Error("parse url %s failed: %v", unsanitizedURL, err)
 		// don't log the error, since it might contain unsanitized URL.
 		return "(unparsable url)"
 	}
--- a/modules/util/sanitize_test.go
+++ b/modules/util/sanitize_test.go
@@ -0,0 +1,25 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package util
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestSanitizeURLCredentials(t *testing.T) {
 	var kases = map[string]string{
 		"https://github.com/go-gitea/test_repo.git":         "https://github.com/go-gitea/test_repo.git",
 		"https://mytoken@github.com/go-gitea/test_repo.git": "https://github.com/go-gitea/test_repo.git",
 		"http://github.com/go-gitea/test_repo.git":          "http://github.com/go-gitea/test_repo.git",
 		"/test/repos/repo1":                                 "/test/repos/repo1",
 		"git@github.com:go-gitea/test_repo.git":             "(unparsable url)",
 	}
 	for source, value := range kases {
 		assert.EqualValues(t, value, SanitizeURLCredentials(source, false))
 	}
 }
--- a/templates/repo/header.tmpl
+++ b/templates/repo/header.tmpl
@@ -14,7 +14,7 @@
 				{{if and .RelAvatarLink .IsPrivate}}<i class="mega-octicon octicon-lock"></i>{{end}}
 				{{if .IsTemplate}}<i class="icon fa-copy"></i>{{end}}
 				{{if .IsArchived}}<i class="archive icon archived-icon"></i>{{end}}
 				{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{MirrorAddress $.Mirror}}">{{MirrorAddress $.Mirror}}</a></div>{{end}}
 				{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}">{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}</a></div>{{end}}
 				{{if .IsFork}}<div class="fork-flag">{{$.i18n.Tr "repo.forked_from"}} <a href="{{.BaseRepo.Link}}">{{SubStr .BaseRepo.RelLink 1 -1}}</a></div>{{end}}
 				{{if .IsGenerated}}<div class="fork-flag">{{$.i18n.Tr "repo.generated_from"}} <a href="{{.TemplateRepo.Link}}">{{SubStr .TemplateRepo.RelLink 1 -1}}</a></div>{{end}}
 			</div>