From 878d61eb8c5db310ad11abe7bc0840a7d3781f6a Mon Sep 17 00:00:00 2001 From: Glenn Lewis <6598971+gmlewis@users.noreply.github.com> Date: Mon, 12 Jun 2023 19:24:01 -0400 Subject: [PATCH 1/2] Fix auth vulnerability Signed-off-by: Glenn Lewis <6598971+gmlewis@users.noreply.github.com> --- github/repos_contents.go | 7 +++++++ github/repos_contents_test.go | 14 ++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/github/repos_contents.go b/github/repos_contents.go index be58fd52f66..c8096934951 100644 --- a/github/repos_contents.go +++ b/github/repos_contents.go @@ -192,8 +192,15 @@ func (s *RepositoriesService) DownloadContentsWithMeta(ctx context.Context, owne // as possible, both result types will be returned but only one will contain a // value and the other will be nil. // +// Due to an auth vulnerability issue in the GitHub v3 API, ".." is not allowed +// to appear anywhere in the "path" or this endpoint will return an error. +// // GitHub API docs: https://docs.github.com/en/rest/repos/contents#get-repository-content func (s *RepositoriesService) GetContents(ctx context.Context, owner, repo, path string, opts *RepositoryContentGetOptions) (fileContent *RepositoryContent, directoryContent []*RepositoryContent, resp *Response, err error) { + if strings.Contains(path, "..") { + return nil, nil, nil, errors.New("path must not contain '..' due to auth vulnerability issue") + } + escapedPath := (&url.URL{Path: strings.TrimSuffix(path, "/")}).String() u := fmt.Sprintf("repos/%s/%s/contents/%s", owner, repo, escapedPath) u, err = addOptions(u, opts) diff --git a/github/repos_contents_test.go b/github/repos_contents_test.go index 29262ce2db1..295c21684cd 100644 --- a/github/repos_contents_test.go +++ b/github/repos_contents_test.go @@ -465,6 +465,20 @@ func TestRepositoriesService_GetContents_DirectoryWithSpaces(t *testing.T) { } } +func TestRepositoriesService_GetContents_PathWithParent(t *testing.T) { + client, mux, _, teardown := setup() + defer teardown() + mux.HandleFunc("/repos/o/r/contents/some/../directory/file.go", func(w http.ResponseWriter, r *http.Request) { + testMethod(t, r, "GET") + fmt.Fprint(w, `{}`) + }) + ctx := context.Background() + _, _, _, err := client.Repositories.GetContents(ctx, "o", "r", "some/../directory/file.go", &RepositoryContentGetOptions{}) + if err == nil { + t.Fatal("Repositories.GetContents expected error but got none") + } +} + func TestRepositoriesService_GetContents_DirectoryWithPlusChars(t *testing.T) { client, mux, _, teardown := setup() defer teardown() From 49af546abdc83de671f55614c8978b2952af2a1b Mon Sep 17 00:00:00 2001 From: Glenn Lewis <6598971+gmlewis@users.noreply.github.com> Date: Mon, 12 Jun 2023 19:28:21 -0400 Subject: [PATCH 2/2] Minor tweak Signed-off-by: Glenn Lewis <6598971+gmlewis@users.noreply.github.com> --- github/repos_contents.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/github/repos_contents.go b/github/repos_contents.go index c8096934951..874a3277283 100644 --- a/github/repos_contents.go +++ b/github/repos_contents.go @@ -193,7 +193,7 @@ func (s *RepositoriesService) DownloadContentsWithMeta(ctx context.Context, owne // value and the other will be nil. // // Due to an auth vulnerability issue in the GitHub v3 API, ".." is not allowed -// to appear anywhere in the "path" or this endpoint will return an error. +// to appear anywhere in the "path" or this method will return an error. // // GitHub API docs: https://docs.github.com/en/rest/repos/contents#get-repository-content func (s *RepositoriesService) GetContents(ctx context.Context, owner, repo, path string, opts *RepositoryContentGetOptions) (fileContent *RepositoryContent, directoryContent []*RepositoryContent, resp *Response, err error) {