fix: do not allow SSH url for migration (#7004)

- Add a new function `IsPushMirrorURLAllowed` that will allow `ssh://` url and make the existing `IsMigrateURLAllowed` not allow such URLs anymore. - Resolves forgejo/forgejo#6960 - Existing integration tests make sure that SSH urls are still allowed for the push mirror feature and added unit test to ensure that `IsMigrateURLAllowed` no longer allows SSH urls. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7004 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-09-10 15:48:29 +02:00 · 2025-02-21 07:57:06 +00:00 · 2025-02-21 07:57:06 +00:00 · e8ebb5d6e3
commit e8ebb5d6e3
parent 8910580d0b
4 changed files with 28 additions and 4 deletions
--- a/services/migrations/migrate_test.go
+++ b/services/migrations/migrate_test.go
@ -113,3 +113,18 @@ func TestAllowBlockList(t *testing.T) {
 	// reset
 	init("", "", false)
 }
+
+func TestURLAllowedSSH(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
+	sshURL := "ssh://git@git.gay/gitgay/forgejo"
+
+	t.Run("Migrate URL", func(t *testing.T) {
+		require.Error(t, IsMigrateURLAllowed(sshURL, user))
+	})
+
+	t.Run("Pushmirror URL", func(t *testing.T) {
+		require.NoError(t, IsPushMirrorURLAllowed(sshURL, user))
+	})
+}