models/repo_editor: add isRepositoryGitPath to detect invalid file path (#5558)

models/repo_editor.go

@@ -443,6 +443,11 @@ type UploadRepoFileOptions struct {
 	Files        []string // In UUID format
 }
 
+// isRepositoryGitPath returns true if given path is or resides inside ".git" path of the repository.
+func isRepositoryGitPath(path string) bool {
+	return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator))
+}
+
 func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) (err error) {
 	if len(opts.Files) == 0 {
 		return nil
@@ -480,7 +485,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
 		}
 
 		// Prevent copying files into .git directory, see https://github.com/gogs/gogs/issues/5558.
-		if strings.HasPrefix(upload.Name, ".git/") {
+		if isRepositoryGitPath(upload.Name) {
 			continue
 		}
 

models/repo_editor_test.go

@@ -0,0 +1,34 @@
+// Copyright 2018 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package models
+
+import (
+	"os"
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func Test_isRepositoryGitPath(t *testing.T) {
+	Convey("Check if path is or resides inside '.git'", t, func() {
+		sep := string(os.PathSeparator)
+		testCases := []struct {
+			path   string
+			expect bool
+		}{
+			{"." + sep + ".git", true},
+			{"." + sep + ".git" + sep + "", true},
+			{"." + sep + ".git" + sep + "hooks" + sep + "pre-commit", true},
+			{".git" + sep + "hooks", true},
+			{"dir" + sep + ".git", true},
+
+			{".gitignore", false},
+			{"dir" + sep + ".gitkeep", false},
+		}
+		for _, tc := range testCases {
+			So(isRepositoryGitPath(tc.path), ShouldEqual, tc.expect)
+		}
+	})
+}