From e57f7639379c8561a8109b35d171a1540d75577e Mon Sep 17 00:00:00 2001
From: mrsdizzie <info@mrsdizzie.com>
Date: Thu, 19 Dec 2019 04:49:48 -0500
Subject: [PATCH] Add migration to sanitize repository original_url (#9423)

* Add migration to sanitize repository original_url

During a large code move in #6200 the OriginalURL field was
accidentially changed to be populated with the CloneAddr field which
will contain the username and/or password provided during a migration.

This behavior was fixed in previous PR #9097 and this migration will
remove any authentication details that were stored in the database
between those two.

* use net/url to rebuild URL instead of strings.Replace

* Update models/migrations/migrations.go

* changes per lunny

* make fmt
---
 models/migrations/migrations.go |  2 ++
 models/migrations/v114.go       | 52 +++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 models/migrations/v114.go

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index cbea5a95dd..923b5f5759 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -282,6 +282,8 @@ var migrations = []Migration{
 	NewMigration("remove release attachments which repository deleted", removeAttachmentMissedRepo),
 	// v113 -> v114
 	NewMigration("new feature: change target branch of pull requests", featureChangeTargetBranch),
+	// v114 -> v115
+	NewMigration("Remove authentication credentials from stored URL", sanitizeOriginalURL),
 }
 
 // Migrate database to current version
diff --git a/models/migrations/v114.go b/models/migrations/v114.go
new file mode 100644
index 0000000000..25a187f6e8
--- /dev/null
+++ b/models/migrations/v114.go
@@ -0,0 +1,52 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"net/url"
+
+	"xorm.io/xorm"
+)
+
+func sanitizeOriginalURL(x *xorm.Engine) error {
+
+	type Repository struct {
+		ID          int64
+		OriginalURL string `xorm:"VARCHAR(2048)"`
+	}
+
+	var last int
+	const batchSize = 50
+	for {
+		var results = make([]Repository, 0, batchSize)
+		err := x.Where("original_url <> '' AND original_url IS NOT NULL").
+			And("original_service_type = 0 OR original_service_type IS NULL").
+			OrderBy("id").
+			Limit(batchSize, last).
+			Find(&results)
+		if err != nil {
+			return err
+		}
+		if len(results) == 0 {
+			break
+		}
+		last += len(results)
+
+		for _, res := range results {
+			u, err := url.Parse(res.OriginalURL)
+			if err != nil {
+				// it is ok to continue here, we only care about fixing URLs that we can read
+				continue
+			}
+			u.User = nil
+			originalURL := u.String()
+			_, err = x.Exec("UPDATE repository SET original_url = ? WHERE id = ?", originalURL, res.ID)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}