Attachments: Add extension support, allow all types for releases (#12465)

* Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/*` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers * rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv>
2025-05-25 11:22:16 +00:00 · 2020-10-05 07:49:33 +02:00 · 2020-10-05 07:49:33 +02:00 · cda44750cb
commit cda44750cb
parent 67a5573310
26 changed files with 497 additions and 226 deletions
--- a/modules/secret/secret.go
+++ b/modules/secret/secret.go
@ -5,8 +5,14 @@
 package secret

 import (
+	"crypto/aes"
+	"crypto/cipher"
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"io"
 )

 // New creats a new secret
@ -31,3 +37,65 @@ func randomString(len int64) (string, error) {
 	b, err := randomBytes(len)
 	return base64.URLEncoding.EncodeToString(b), err
 }
+
+// AesEncrypt encrypts text and given key with AES.
+func AesEncrypt(key, text []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	b := base64.StdEncoding.EncodeToString(text)
+	ciphertext := make([]byte, aes.BlockSize+len(b))
+	iv := ciphertext[:aes.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+	cfb := cipher.NewCFBEncrypter(block, iv)
+	cfb.XORKeyStream(ciphertext[aes.BlockSize:], []byte(b))
+	return ciphertext, nil
+}
+
+// AesDecrypt decrypts text and given key with AES.
+func AesDecrypt(key, text []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	if len(text) < aes.BlockSize {
+		return nil, errors.New("ciphertext too short")
+	}
+	iv := text[:aes.BlockSize]
+	text = text[aes.BlockSize:]
+	cfb := cipher.NewCFBDecrypter(block, iv)
+	cfb.XORKeyStream(text, text)
+	data, err := base64.StdEncoding.DecodeString(string(text))
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}
+
+// EncryptSecret encrypts a string with given key into a hex string
+func EncryptSecret(key string, str string) (string, error) {
+	keyHash := sha256.Sum256([]byte(key))
+	plaintext := []byte(str)
+	ciphertext, err := AesEncrypt(keyHash[:], plaintext)
+	if err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(ciphertext), nil
+}
+
+// DecryptSecret decrypts a previously encrypted hex string
+func DecryptSecret(key string, cipherhex string) (string, error) {
+	keyHash := sha256.Sum256([]byte(key))
+	ciphertext, err := hex.DecodeString(cipherhex)
+	if err != nil {
+		return "", err
+	}
+	plaintext, err := AesDecrypt(keyHash[:], ciphertext)
+	if err != nil {
+		return "", err
+	}
+	return string(plaintext), nil
+}