repo_tag: ignore unintended Git options when creating tags (#110)

unknwon · web-flow · commit 5aac20de0207 · 2024-12-22T16:22:17.000-05:00
### Describe the pull request Fixes GHSA-m27m-h5gj-wwmg
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.23.x
       - name: Check Go module tidiness
@@ -51,7 +51,7 @@ jobs:
     name: Test
     strategy:
       matrix:
-        go-version: [ 1.22.x, 1.23.x ]
+        go-version: [ 1.23.x ]
         platform: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.platform }}
     steps:
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,2 @@
+# Default
+* @gogs/core
diff --git a/repo_tag.go b/repo_tag.go
@@ -248,6 +248,8 @@ func (r *Repository) CreateTag(name, rev string, opts ...CreateTagOptions) error
 			cmd.AddCommitter(opt.Author)
 		}
 	} else {
+		// 🚨 SECURITY: Prevent including unintended options in the path to the Git command.
+		cmd.AddArgs("--end-of-options")
 		cmd.AddArgs(name)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -248,6 +248,8 @@ func (r *Repository) CreateTag(name, rev string, opts ...CreateTagOptions) error`
`248`	`248`	`cmd.AddCommitter(opt.Author)`
`249`	`249`	`}`
`250`	`250`	`} else {`
	`251`	`+ // 🚨 SECURITY: Prevent including unintended options in the path to the Git command.`
	`252`	`+ cmd.AddArgs("--end-of-options")`
`251`	`253`	`cmd.AddArgs(name)`
`252`	`254`	`}`
`253`	`255`