repo: disallow urlencoded new lines in git protocol paths (#6420)

stypr · unknwon · mpsonntag · commit b66a68f0b3a7 · 2020-12-02T16:44:47.000+01:00
Co-authored-by: ᴜɴᴋɴᴡᴏɴ &lt;u@gogs.io&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,8 @@ All notable changes to Gogs are documented in this file.
 ### Fixed
 
 - Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) 
+- [Security] Potential SSRF attack by CRLF injection via repository migration. [#6413](https://github.com/gogs/gogs/issues/6413)
+
 
 ### Removed
 
diff --git a/internal/form/repo.go b/internal/form/repo.go
@@ -70,6 +70,10 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) {
 		if len(f.AuthUsername)+len(f.AuthPassword) > 0 {
 			u.User = url.UserPassword(f.AuthUsername, f.AuthPassword)
 		}
+		// To prevent CRLF injection in git protocol, see https://github.com/gogs/gogs/issues/6413
+		if u.Scheme == "git" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+			return "", db.ErrInvalidCloneAddr{IsURLError: true}
+		}
 		remoteAddr = u.String()
 	} else if !user.CanImportLocal() {
 		return "", db.ErrInvalidCloneAddr{IsPermissionDenied: true}
