forgejo/routers/web
zeripath e77b76425e
Prepend refs/heads/ to issue template refs (#20461)
Fix #20456

At some point during the 1.17 cycle abbreviated refishs to issue
branches started breaking. This is likely due serious inconsistencies in
our management of refs throughout Gitea - which is a bug needing to be
addressed in a different PR. (Likely more than one)

We should try to use non-abbreviated `fullref`s as much as possible.
That is where a user has inputted a abbreviated `refish` we should add
`refs/heads/` if it is `branch` etc. I know people keep writing and
merging PRs that remove prefixes from stored content but it is just
wrong and it keeps causing problems like this. We should only remove the
prefix at the time of
presentation as the prefix is the only way of knowing umambiguously and
permanently if the `ref` is referring to a `branch`, `tag` or `commit` /
`SHA`. We need to make it so that every ref has the appropriate prefix,
and probably also need to come up with some definitely unambiguous way
of storing `SHA`s if they're used in a `ref` or `refish` field. We must
not store a potentially
ambiguous `refish` as a `ref`. (Especially when referring a `tag` -
there is no reason why users cannot create a `branch` with the same
short name as a `tag` and vice versa and any attempt to prevent this
will fail. You can even create a `branch` and a
`tag` that matches the `SHA` pattern.)

To that end in order to fix this bug, when parsing issue templates check
the provided `Ref` (here a `refish` because almost all users do not know
or understand the subtly), if it does not start with `refs/` add the
`BranchPrefix` to it. This allows people to make their templates refer
to a `tag` but not to a `SHA` directly. (I don't think that is
particularly unreasonable but if people disagree I can make the `refish`
be checked to see if it matches the `SHA` pattern.)

Next we need to handle the issue links that are already written. The
links here are created with `git.RefURL`

Here we see there is a bug introduced in #17551 whereby the provided
`ref` argument can be double-escaped so we remove the incorrect external
escape. (The escape added in #17551 is in the right place -
unfortunately I missed that the calling function was doing the wrong
thing.)

Then within `RefURL()` we check if an unprefixed `ref` (therefore
potentially a `refish`) matches the `SHA` pattern before assuming that
is actually a `commit` - otherwise is assumed to be a `branch`. This
will handle most of the problem cases excepting the very unusual cases
where someone has deliberately written a `branch` to look like a `SHA1`.

But please if something is called a `ref` or interpreted as a `ref` make
it a full-ref before storing or using it. By all means if something is a
`branch` assume the prefix is removed but always add it back in if you
are using it as a `ref`. Stop storing abbreviated `branch` names and
`tag` names - which are `refish` as a `ref`. It will keep on causing
problems like this.

Fix #20456

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-22 20:58:49 +08:00
..
admin Revert unrelated changes for SMTP auth (#21767) 2022-11-10 16:12:23 -05:00
auth Extract updateSession function to reduce repetition (#21735) 2022-11-10 19:43:06 +08:00
events Improve Stopwatch behavior (#18930) 2022-04-25 22:45:22 +02:00
explore Add context.Context to more methods (#21546) 2022-11-19 16:12:33 +08:00
feed Fix setting HTTP headers after write (#21833) 2022-11-18 01:55:15 +08:00
healthcheck Update go-chi/cache to utilize Ping() (#19719) 2022-05-15 20:43:27 +02:00
misc Fix panic in team repos API (#19431) 2022-04-20 18:43:26 +08:00
org Add package registry cleanup rules (#21658) 2022-11-20 16:08:38 +02:00
repo Prepend refs/heads/ to issue template refs (#20461) 2022-11-22 20:58:49 +08:00
shared/packages Add package registry cleanup rules (#21658) 2022-11-20 16:08:38 +02:00
user Add package registry cleanup rules (#21658) 2022-11-20 16:08:38 +02:00
auth.go Remove legacy +build: constraint (#19582) 2022-05-02 23:22:45 +08:00
auth_windows.go Let web and API routes have different auth methods group (#19168) 2022-03-28 12:46:28 +08:00
base.go Share HTML template renderers and create a watcher framework (#20218) 2022-08-28 10:43:25 +01:00
goget.go Refactor legacy unknwon/com package, improve golangci lint (#19284) 2022-04-01 16:47:50 +08:00
home.go Add context.Context to more methods (#21546) 2022-11-19 16:12:33 +08:00
metrics.go Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
nodeinfo.go Add nodeinfo endpoint for federation purposes (#16953) 2021-09-28 01:38:06 +02:00
swagger_json.go Refactor routers directory (#15800) 2021-06-09 01:33:54 +02:00
web.go Allow disable RSS/Atom feed (#21622) 2022-11-21 13:14:58 +08:00
webfinger.go Fix various typos (#20338) 2022-07-12 23:32:37 +02:00