mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-15 15:30:26 +00:00
ce0a376723
It was possible to hijack attachments during update and create functions to another owner as permissions to check they weren't already attached to another resource and wasn't checked if it belonged to the repository that was being operated on.
320 lines
11 KiB
Go
320 lines
11 KiB
Go
// Copyright 2017 The Gitea Authors. All rights reserved.
|
|
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package repo
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/url"
|
|
"path"
|
|
|
|
"forgejo.org/models/db"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/storage"
|
|
"forgejo.org/modules/timeutil"
|
|
"forgejo.org/modules/util"
|
|
"forgejo.org/modules/validation"
|
|
|
|
"xorm.io/builder"
|
|
)
|
|
|
|
// Attachment represent a attachment of issue/comment/release.
|
|
type Attachment struct {
|
|
ID int64 `xorm:"pk autoincr"`
|
|
// UUID is the public identifier of the attachment, and is used during HTTP
|
|
// requests to refer to a specific attachment.
|
|
UUID string `xorm:"uuid UNIQUE"`
|
|
// UploaderID is always set and non-zero and refers to the user that has
|
|
// uploaded this attachment.
|
|
UploaderID int64 `xorm:"INDEX DEFAULT 0"`
|
|
// RepoID is always set and non-zero and refers to the repository where this
|
|
// attachment was uploaded to.
|
|
RepoID int64 `xorm:"INDEX"`
|
|
// IssueID, ReleaseID and CommentID have multiple possible states:
|
|
// - ReleaseID != 0 && IssueID == 0 && CommentID == 0: attached to release with id `ReleaseID`.
|
|
// - ReleaseID == 0 && IssueID != 0 && CommentID == 0: attached to the issue with id `IssueID`.
|
|
// - ReleaseID == 0 && IssueID != 0 && CommentID != 0: attached to comment with id `CommentID` that is in issue with id `IssueID`.
|
|
// All other states should be considered invalid.
|
|
IssueID int64 `xorm:"INDEX"`
|
|
ReleaseID int64 `xorm:"INDEX"`
|
|
CommentID int64 `xorm:"INDEX"`
|
|
Name string
|
|
DownloadCount int64 `xorm:"DEFAULT 0"`
|
|
Size int64 `xorm:"DEFAULT 0"`
|
|
NoAutoTime bool `xorm:"-"`
|
|
CreatedUnix timeutil.TimeStamp `xorm:"created"`
|
|
CustomDownloadURL string `xorm:"-"`
|
|
ExternalURL string
|
|
}
|
|
|
|
func init() {
|
|
db.RegisterModel(new(Attachment))
|
|
}
|
|
|
|
// IncreaseDownloadCount is update download count + 1
|
|
func (a *Attachment) IncreaseDownloadCount(ctx context.Context) error {
|
|
// Update download count.
|
|
if _, err := db.GetEngine(ctx).Exec("UPDATE `attachment` SET download_count=download_count+1 WHERE id=?", a.ID); err != nil {
|
|
return fmt.Errorf("increase attachment count: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// AttachmentRelativePath returns the relative path
|
|
func AttachmentRelativePath(uuid string) string {
|
|
return path.Join(uuid[0:1], uuid[1:2], uuid)
|
|
}
|
|
|
|
// RelativePath returns the relative path of the attachment
|
|
func (a *Attachment) RelativePath() string {
|
|
return AttachmentRelativePath(a.UUID)
|
|
}
|
|
|
|
// DownloadURL returns the download url of the attached file
|
|
func (a *Attachment) DownloadURL() string {
|
|
if a.ExternalURL != "" {
|
|
return a.ExternalURL
|
|
}
|
|
|
|
if a.CustomDownloadURL != "" {
|
|
return a.CustomDownloadURL
|
|
}
|
|
|
|
return setting.AppURL + "attachments/" + url.PathEscape(a.UUID)
|
|
}
|
|
|
|
// IsAttachedToResource returns true if this attachment is attached to a release,
|
|
// issue or comment.
|
|
func (a *Attachment) IsAttachedToResource() bool {
|
|
return a.ReleaseID != 0 || a.IssueID != 0 || a.CommentID != 0
|
|
}
|
|
|
|
// ErrAttachmentNotExist represents a "AttachmentNotExist" kind of error.
|
|
type ErrAttachmentNotExist struct {
|
|
ID int64
|
|
UUID string
|
|
}
|
|
|
|
// IsErrAttachmentNotExist checks if an error is a ErrAttachmentNotExist.
|
|
func IsErrAttachmentNotExist(err error) bool {
|
|
_, ok := err.(ErrAttachmentNotExist)
|
|
return ok
|
|
}
|
|
|
|
func (err ErrAttachmentNotExist) Error() string {
|
|
return fmt.Sprintf("attachment does not exist [id: %d, uuid: %s]", err.ID, err.UUID)
|
|
}
|
|
|
|
func (err ErrAttachmentNotExist) Unwrap() error {
|
|
return util.ErrNotExist
|
|
}
|
|
|
|
type ErrInvalidExternalURL struct {
|
|
ExternalURL string
|
|
}
|
|
|
|
func IsErrInvalidExternalURL(err error) bool {
|
|
_, ok := err.(ErrInvalidExternalURL)
|
|
return ok
|
|
}
|
|
|
|
func (err ErrInvalidExternalURL) Error() string {
|
|
return fmt.Sprintf("invalid external URL: '%s'", err.ExternalURL)
|
|
}
|
|
|
|
func (err ErrInvalidExternalURL) Unwrap() error {
|
|
return util.ErrPermissionDenied
|
|
}
|
|
|
|
// GetAttachmentByID returns attachment by given id
|
|
func GetAttachmentByID(ctx context.Context, id int64) (*Attachment, error) {
|
|
attach := &Attachment{}
|
|
if has, err := db.GetEngine(ctx).ID(id).Get(attach); err != nil {
|
|
return nil, err
|
|
} else if !has {
|
|
return nil, ErrAttachmentNotExist{ID: id, UUID: ""}
|
|
}
|
|
return attach, nil
|
|
}
|
|
|
|
// GetAttachmentByUUID returns attachment by given UUID.
|
|
func GetAttachmentByUUID(ctx context.Context, uuid string) (*Attachment, error) {
|
|
attach := &Attachment{}
|
|
has, err := db.GetEngine(ctx).Where("uuid=?", uuid).Get(attach)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if !has {
|
|
return nil, ErrAttachmentNotExist{0, uuid}
|
|
}
|
|
return attach, nil
|
|
}
|
|
|
|
type FindAttachmentOptions struct {
|
|
ReleaseID int64
|
|
IssueID int64
|
|
CommentID int64
|
|
}
|
|
|
|
func (opts FindAttachmentOptions) ToConds() builder.Cond {
|
|
return builder.Eq{"release_id": opts.ReleaseID, "issue_id": opts.IssueID, "comment_id": opts.CommentID}
|
|
}
|
|
|
|
// FindRepoAttachmentsByUUID always returns attachment that has a UUID that is
|
|
// in the given `uuids` argument and is attached to the repository.
|
|
//
|
|
// The values in `opts` are always as a condition even if they are zero, this
|
|
// allows to search for attachments that are not yet attached to any resource by
|
|
// specifying a empty struct.
|
|
func FindRepoAttachmentsByUUID(ctx context.Context, repoID int64, uuids []string, opts FindAttachmentOptions) ([]*Attachment, error) {
|
|
// Nothing to match anyway.
|
|
if len(uuids) == 0 {
|
|
return []*Attachment{}, nil
|
|
}
|
|
|
|
// At maximum nothing is filtered and we get all attachments via the UUID.
|
|
attachments := make([]*Attachment, 0, len(uuids))
|
|
|
|
err := db.GetEngine(ctx).
|
|
Where("repo_id = ?", repoID).
|
|
In("uuid", uuids).
|
|
And(opts.ToConds()).
|
|
Find(&attachments)
|
|
return attachments, err
|
|
}
|
|
|
|
// ExistAttachmentsByUUID returns true if attachment exists with the given UUID
|
|
func ExistAttachmentsByUUID(ctx context.Context, uuid string) (bool, error) {
|
|
return db.GetEngine(ctx).Where("`uuid`=?", uuid).Exist(new(Attachment))
|
|
}
|
|
|
|
// GetAttachmentsByIssueID returns all attachments of an issue.
|
|
func GetAttachmentsByIssueID(ctx context.Context, issueID int64) ([]*Attachment, error) {
|
|
attachments := make([]*Attachment, 0, 10)
|
|
return attachments, db.GetEngine(ctx).Where("issue_id = ? AND comment_id = 0", issueID).Find(&attachments)
|
|
}
|
|
|
|
// GetAttachmentsByIssueIDImagesLatest returns the latest image attachments of an issue.
|
|
func GetAttachmentsByIssueIDImagesLatest(ctx context.Context, issueID int64) ([]*Attachment, error) {
|
|
attachments := make([]*Attachment, 0, 5)
|
|
return attachments, db.GetEngine(ctx).Where(`issue_id = ? AND (name like '%.apng'
|
|
OR name like '%.avif'
|
|
OR name like '%.bmp'
|
|
OR name like '%.gif'
|
|
OR name like '%.jpg'
|
|
OR name like '%.jpeg'
|
|
OR name like '%.jxl'
|
|
OR name like '%.png'
|
|
OR name like '%.svg'
|
|
OR name like '%.webp')`, issueID).Desc("comment_id").Limit(5).Find(&attachments)
|
|
}
|
|
|
|
// GetAttachmentsByCommentID returns all attachments if comment by given ID.
|
|
func GetAttachmentsByCommentID(ctx context.Context, commentID int64) ([]*Attachment, error) {
|
|
attachments := make([]*Attachment, 0, 10)
|
|
return attachments, db.GetEngine(ctx).Where("comment_id=?", commentID).Find(&attachments)
|
|
}
|
|
|
|
// GetAttachmentByReleaseIDFileName returns attachment by given releaseId and fileName.
|
|
func GetAttachmentByReleaseIDFileName(ctx context.Context, releaseID int64, fileName string) (*Attachment, error) {
|
|
attach := &Attachment{ReleaseID: releaseID, Name: fileName}
|
|
has, err := db.GetEngine(ctx).Get(attach)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if !has {
|
|
return nil, err
|
|
}
|
|
return attach, nil
|
|
}
|
|
|
|
// DeleteAttachment deletes the given attachment and optionally the associated file.
|
|
func DeleteAttachment(ctx context.Context, a *Attachment, remove bool) error {
|
|
_, err := DeleteAttachments(ctx, []*Attachment{a}, remove)
|
|
return err
|
|
}
|
|
|
|
// DeleteAttachments deletes the given attachments and optionally the associated files.
|
|
func DeleteAttachments(ctx context.Context, attachments []*Attachment, remove bool) (int, error) {
|
|
if len(attachments) == 0 {
|
|
return 0, nil
|
|
}
|
|
|
|
ids := make([]int64, 0, len(attachments))
|
|
for _, a := range attachments {
|
|
ids = append(ids, a.ID)
|
|
}
|
|
|
|
cnt, err := db.GetEngine(ctx).In("id", ids).NoAutoCondition().Delete(attachments[0])
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
if remove {
|
|
for i, a := range attachments {
|
|
if err := storage.Attachments.Delete(a.RelativePath()); err != nil {
|
|
return i, err
|
|
}
|
|
}
|
|
}
|
|
return int(cnt), nil
|
|
}
|
|
|
|
// DeleteAttachmentsByComment deletes all attachments associated with the given comment.
|
|
func DeleteAttachmentsByComment(ctx context.Context, commentID int64, remove bool) (int, error) {
|
|
attachments, err := GetAttachmentsByCommentID(ctx, commentID)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
return DeleteAttachments(ctx, attachments, remove)
|
|
}
|
|
|
|
// UpdateAttachmentByUUID Updates attachment via uuid
|
|
func UpdateAttachmentByUUID(ctx context.Context, attach *Attachment, cols ...string) error {
|
|
if attach.UUID == "" {
|
|
return errors.New("attachment uuid should be not blank")
|
|
}
|
|
if attach.ExternalURL != "" && !validation.IsValidReleaseAssetURL(attach.ExternalURL) {
|
|
return ErrInvalidExternalURL{ExternalURL: attach.ExternalURL}
|
|
}
|
|
_, err := db.GetEngine(ctx).Where("uuid=?", attach.UUID).Cols(cols...).Update(attach)
|
|
return err
|
|
}
|
|
|
|
// UpdateAttachment updates the given attachment in database
|
|
func UpdateAttachment(ctx context.Context, atta *Attachment) error {
|
|
if atta.ExternalURL != "" && !validation.IsValidReleaseAssetURL(atta.ExternalURL) {
|
|
return ErrInvalidExternalURL{ExternalURL: atta.ExternalURL}
|
|
}
|
|
sess := db.GetEngine(ctx).Cols("name", "issue_id", "release_id", "comment_id", "download_count")
|
|
if atta.ID != 0 && atta.UUID == "" {
|
|
sess = sess.ID(atta.ID)
|
|
} else {
|
|
// Use uuid only if id is not set and uuid is set
|
|
sess = sess.Where("uuid = ?", atta.UUID)
|
|
}
|
|
_, err := sess.Update(atta)
|
|
return err
|
|
}
|
|
|
|
// DeleteAttachmentsByRelease deletes all attachments associated with the given release.
|
|
func DeleteAttachmentsByRelease(ctx context.Context, releaseID int64) error {
|
|
_, err := db.GetEngine(ctx).Where("release_id = ?", releaseID).Delete(&Attachment{})
|
|
return err
|
|
}
|
|
|
|
// CountOrphanedAttachments returns the number of bad attachments
|
|
func CountOrphanedAttachments(ctx context.Context) (int64, error) {
|
|
return db.GetEngine(ctx).Where("(issue_id > 0 and issue_id not in (select id from issue)) or (release_id > 0 and release_id not in (select id from `release`))").
|
|
Count(new(Attachment))
|
|
}
|
|
|
|
// DeleteOrphanedAttachments delete all bad attachments
|
|
func DeleteOrphanedAttachments(ctx context.Context) error {
|
|
_, err := db.GetEngine(ctx).Where("(issue_id > 0 and issue_id not in (select id from issue)) or (release_id > 0 and release_id not in (select id from `release`))").
|
|
Delete(new(Attachment))
|
|
return err
|
|
}
|