Safe work

gogs.go

@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.5.6.1024 Beta"
+const APP_VER = "0.5.6.1025 Beta"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())

models/issue.go

@@ -211,7 +211,10 @@ func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sort
 
 	if len(labelIds) > 0 {
 		for _, label := range strings.Split(labelIds, ",") {
-			sess.And("label_ids like '%$" + label + "|%'")
+			// Prevent SQL inject.
+			if com.StrTo(label).MustInt() > 0 {
+				sess.And("label_ids like '%$" + label + "|%'")
+			}
 		}
 	}
 

models/repo.go

@@ -1131,17 +1131,21 @@ type SearchOption struct {
 	Keyword string
 	Uid     int64
 	Limit   int
+	Private bool
+}
+
+// FilterSQLInject tries to prevent SQL injection.
+func FilterSQLInject(key string) string {
+	key = strings.TrimSpace(key)
+	key = strings.Split(key, " ")[0]
+	key = strings.Replace(key, ",", "", -1)
+	return key
 }
 
 // SearchRepositoryByName returns given number of repositories whose name contains keyword.
 func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
 	// Prevent SQL inject.
-	opt.Keyword = strings.TrimSpace(opt.Keyword)
-	if len(opt.Keyword) == 0 {
-		return repos, nil
-	}
-
-	opt.Keyword = strings.Split(opt.Keyword, " ")[0]
+	opt.Keyword = FilterSQLInject(opt.Keyword)
 	if len(opt.Keyword) == 0 {
 		return repos, nil
 	}
@@ -1154,6 +1158,9 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) {
 	if opt.Uid > 0 {
 		sess.Where("owner_id=?", opt.Uid)
 	}
+	if !opt.Private {
+		sess.And("is_private=false")
+	}
 	sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
 	return repos, err
 }

models/user.go

@@ -574,13 +574,7 @@ func GetUserByEmail(email string) (*User, error) {
 
 // SearchUserByName returns given number of users whose name contains keyword.
 func SearchUserByName(opt SearchOption) (us []*User, err error) {
-	// Prevent SQL inject.
-	opt.Keyword = strings.TrimSpace(opt.Keyword)
-	if len(opt.Keyword) == 0 {
-		return us, nil
-	}
-
-	opt.Keyword = strings.Split(opt.Keyword, " ")[0]
+	opt.Keyword = FilterSQLInject(opt.Keyword)
 	if len(opt.Keyword) == 0 {
 		return us, nil
 	}

routers/api/v1/repos.go

@@ -31,6 +31,26 @@ func SearchRepos(ctx *middleware.Context) {
 		opt.Limit = 10
 	}
 
+	// Check visibility.
+	if ctx.IsSigned && opt.Uid > 0 {
+		if ctx.User.Id == opt.Uid {
+			opt.Private = true
+		} else {
+			u, err := models.GetUserById(opt.Uid)
+			if err != nil {
+				ctx.JSON(500, map[string]interface{}{
+					"ok":    false,
+					"error": err.Error(),
+				})
+				return
+			}
+			if u.IsOrganization() && u.IsOrgOwner(ctx.User.Id) {
+				opt.Private = true
+			}
+			// FIXME: how about collaborators?
+		}
+	}
+
 	repos, err := models.SearchRepositoryByName(opt)
 	if err != nil {
 		ctx.JSON(500, map[string]interface{}{

templates/.VERSION

@@ -1 +1 @@
-0.5.6.1024 Beta
+0.5.6.1025 Beta