fix(db): correctly check Git path on case-insensitive file system (#7359

)

CHANGELOG.md

@@ -29,6 +29,7 @@ All notable changes to Gogs are documented in this file.
 ### Fixed
 
 - _Security:_ Stored XSS for issue assignees. [#7145](https://github.com/gogs/gogs/issues/7145)
+- _Security:_ OS Command Injection in repo editor on case-insensitive file systems. [#7030](https://github.com/gogs/gogs/issues/7030)
 - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
 - Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. [#7267](https://github.com/gogs/gogs/pull/7267)
 - Mistakenly include the "data" directory under the custom directory in the Docker setup. [#7343](https://github.com/gogs/gogs/pull/7343)

internal/db/repo_editor.go

@@ -485,7 +485,10 @@ type UploadRepoFileOptions struct {
 
 // isRepositoryGitPath returns true if given path is or resides inside ".git"
 // path of the repository.
+//
+// TODO(unknwon): Move to repoutil during refactoring for this file.
 func isRepositoryGitPath(path string) bool {
+	path = strings.ToLower(path)
 	return strings.HasSuffix(path, ".git") ||
 		strings.Contains(path, ".git/") ||
 		strings.Contains(path, `.git\`) ||

internal/db/repo_editor_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func Test_isRepositoryGitPath(t *testing.T) {
+func TestIsRepositoryGitPath(t *testing.T) {
 	tests := []struct {
 		path    string
 		wantVal bool
@@ -21,6 +21,13 @@ func Test_isRepositoryGitPath(t *testing.T) {
 		{path: ".git/hooks", wantVal: true},
 		{path: "dir/.git", wantVal: true},
 
+		// Case-insensitive file system
+		{path: ".Git", wantVal: true},
+		{path: "./.Git", wantVal: true},
+		{path: ".Git/hooks/pre-commit", wantVal: true},
+		{path: ".Git/hooks", wantVal: true},
+		{path: "dir/.Git", wantVal: true},
+
 		{path: ".gitignore", wantVal: false},
 		{path: "dir/.gitkeep", wantVal: false},