Sanitize credentials in mirror form (#9975)

models/repo.go

@@ -197,6 +197,14 @@ type Repository struct {
 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
 }
 
+// SanitizedOriginalURL returns a sanitized OriginalURL
+func (repo *Repository) SanitizedOriginalURL() string {
+	if repo.OriginalURL == "" {
+		return ""
+	}
+	return util.SanitizeURLCredentials(repo.OriginalURL, false)
+}
+
 // ColorFormat returns a colored string to represent this repo
 func (repo *Repository) ColorFormat(s fmt.State) {
 	var ownerName interface{}

modules/util/sanitize.go

@@ -7,6 +7,8 @@ package util
 import (
 	"net/url"
 	"strings"
+
+	"code.gitea.io/gitea/modules/log"
 )
 
 // urlSafeError wraps an error whose message may contain a sensitive URL
@@ -36,6 +38,7 @@ func SanitizeMessage(message, unsanitizedURL string) string {
 func SanitizeURLCredentials(unsanitizedURL string, usePlaceholder bool) string {
 	u, err := url.Parse(unsanitizedURL)
 	if err != nil {
+		log.Error("parse url %s failed: %v", unsanitizedURL, err)
 		// don't log the error, since it might contain unsanitized URL.
 		return "(unparsable url)"
 	}

modules/util/sanitize_test.go

@@ -0,0 +1,25 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSanitizeURLCredentials(t *testing.T) {
+	var kases = map[string]string{
+		"https://github.com/go-gitea/test_repo.git":         "https://github.com/go-gitea/test_repo.git",
+		"https://mytoken@github.com/go-gitea/test_repo.git": "https://github.com/go-gitea/test_repo.git",
+		"http://github.com/go-gitea/test_repo.git":          "http://github.com/go-gitea/test_repo.git",
+		"/test/repos/repo1":                                 "/test/repos/repo1",
+		"git@github.com:go-gitea/test_repo.git":             "(unparsable url)",
+	}
+
+	for source, value := range kases {
+		assert.EqualValues(t, value, SanitizeURLCredentials(source, false))
+	}
+}

templates/repo/header.tmpl

@@ -14,7 +14,7 @@
 				{{if and .RelAvatarLink .IsPrivate}}<i class="mega-octicon octicon-lock"></i>{{end}}
 				{{if .IsTemplate}}<i class="icon fa-copy"></i>{{end}}
 				{{if .IsArchived}}<i class="archive icon archived-icon"></i>{{end}}
-				{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{MirrorAddress $.Mirror}}">{{MirrorAddress $.Mirror}}</a></div>{{end}}
+				{{if .IsMirror}}<div class="fork-flag">{{$.i18n.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}">{{if .SanitizedOriginalURL}}{{.SanitizedOriginalURL}}{{else}}{{MirrorAddress $.Mirror}}{{end}}</a></div>{{end}}
 				{{if .IsFork}}<div class="fork-flag">{{$.i18n.Tr "repo.forked_from"}} <a href="{{.BaseRepo.Link}}">{{SubStr .BaseRepo.RelLink 1 -1}}</a></div>{{end}}
 				{{if .IsGenerated}}<div class="fork-flag">{{$.i18n.Tr "repo.generated_from"}} <a href="{{.TemplateRepo.Link}}">{{SubStr .TemplateRepo.RelLink 1 -1}}</a></div>{{end}}
 			</div>