security: fix path cleanup for repository init and editor (#5207)

Reported by Kacper Szurek https://security.szurek.pl/.

models/repo.go

@@ -854,7 +854,7 @@ type CreateRepoOptions struct {
 }
 
 func getRepoInitFile(tp, name string) ([]byte, error) {
-	relPath := path.Join("conf", tp, strings.TrimLeft(name, "./"))
+	relPath := path.Join("conf", tp, strings.TrimLeft(path.Clean("/"+name), "/"))
 
 	// Use custom file when available.
 	customPath := path.Join(setting.CustomPath, relPath)

models/wiki.go

@@ -33,7 +33,7 @@ func ToWikiPageURL(name string) string {
 // that are not belong to wiki repository.
 func ToWikiPageName(urlString string) string {
 	name, _ := url.QueryUnescape(urlString)
-	return strings.Replace(strings.TrimLeft(name, "./"), "/", " ", -1)
+	return strings.Replace(strings.TrimLeft(path.Clean("/"+name), "/"), "/", " ", -1)
 }
 
 // WikiCloneLink returns clone URLs of repository wiki.

routes/repo/editor.go

@@ -140,7 +140,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
 		branchName = f.NewBranchName
 	}
 
-	f.TreePath = strings.Trim(f.TreePath, " /")
+	f.TreePath = strings.Trim(path.Clean("/"+f.TreePath), " /")
 	treeNames, treePaths := getParentTreeFields(f.TreePath)
 
 	c.Data["ParentTreePath"] = path.Dir(c.Repo.TreePath)
@@ -431,7 +431,7 @@ func UploadFilePost(c *context.Context, f form.UploadRepoFile) {
 		branchName = f.NewBranchName
 	}
 
-	f.TreePath = strings.Trim(f.TreePath, " /")
+	f.TreePath = strings.Trim(path.Clean("/"+f.TreePath), " /")
 	treeNames, treePaths := getParentTreeFields(f.TreePath)
 	if len(treeNames) == 0 {
 		// We must at least have one element for user to input.