go-gitea
diff --git a/‎.devcontainer/devcontainer.json
Lines changed: 3 additions & 2 deletions b/‎.devcontainer/devcontainer.json
Lines changed: 3 additions & 2 deletions
diff --git a/‎.gitpod.yml
Lines changed: 1 addition & 1 deletion b/‎.gitpod.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/web.go
Lines changed: 9 additions & 3 deletions b/‎cmd/web.go
Lines changed: 9 additions & 3 deletions
diff --git a/‎docs/content/doc/usage/template-repositories.en-us.md
Lines changed: 2 additions & 0 deletions b/‎docs/content/doc/usage/template-repositories.en-us.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎models/actions/variable.go
Lines changed: 97 additions & 0 deletions b/‎models/actions/variable.go
Lines changed: 97 additions & 0 deletions
diff --git a/‎models/migrations/migrations.go
Lines changed: 3 additions & 0 deletions b/‎models/migrations/migrations.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎models/migrations/v1_21/v261.go
Lines changed: 24 additions & 0 deletions b/‎models/migrations/v1_21/v261.go
Lines changed: 24 additions & 0 deletions
diff --git a/‎models/secret/secret.go
Lines changed: 4 additions & 38 deletions b/‎models/secret/secret.go
Lines changed: 4 additions & 38 deletions
diff --git a/‎modules/repository/generate.go
Lines changed: 30 additions & 2 deletions b/‎modules/repository/generate.go
Lines changed: 30 additions & 2 deletions
diff --git a/‎modules/repository/generate_test.go
Lines changed: 11 additions & 0 deletions b/‎modules/repository/generate_test.go
Lines changed: 11 additions & 0 deletions
@@ -5,7 +5,8 @@
     // installs nodejs into container
     "ghcr.io/devcontainers/features/node:1": {
       "version":"20"
-    }
+    },
+    "ghcr.io/devcontainers/features/git-lfs:1.1.0": {}
   },
   "customizations": {
     "vscode": {
@@ -20,7 +21,7 @@
         "Vue.volar",
         "ms-azuretools.vscode-docker",
         "zixuanchen.vitest-explorer",
-        "alexcvzz.vscode-sqlite"
+        "qwtel.sqlite-viewer"
       ]
     }
   },
 
@@ -34,7 +34,7 @@ vscode:
     - Vue.volar
     - ms-azuretools.vscode-docker
     - zixuanchen.vitest-explorer
-    - alexcvzz.vscode-sqlite
+    - qwtel.sqlite-viewer
 
 ports:
   - name: Gitea
 
@@ -217,9 +217,15 @@ func setPort(port string) error {
 		defaultLocalURL += ":" + setting.HTTPPort + "/"
 
 		// Save LOCAL_ROOT_URL if port changed
-		setting.CfgProvider.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
-		if err := setting.CfgProvider.Save(); err != nil {
-			return fmt.Errorf("Failed to save config file: %v", err)
+		rootCfg := setting.CfgProvider
+		saveCfg, err := rootCfg.PrepareSaving()
+		if err != nil {
+			return fmt.Errorf("failed to save config file: %v", err)
+		}
+		rootCfg.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
+		saveCfg.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
+		if err = saveCfg.Save(); err != nil {
+			return fmt.Errorf("failed to save config file: %v", err)
 		}
 	}
 	return nil
 
@@ -51,6 +51,8 @@ a/b/c/d.json
 
 In any file matched by the above globs, certain variables will be expanded.
 
+Matching filenames and paths can also be expanded, and are conservatively sanitized to support cross-platform filesystems.
+
 All variables must be of the form `$VAR` or `${VAR}`. To escape an expansion, use a double `$$`, such as `$$VAR` or `$${VAR}`
 
 | Variable             | Expands To                                          | Transformable |
 
@@ -0,0 +1,97 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"
+
+	"xorm.io/builder"
+)
+
+type ActionVariable struct {
+	ID          int64              `xorm:"pk autoincr"`
+	OwnerID     int64              `xorm:"UNIQUE(owner_repo_name)"`
+	RepoID      int64              `xorm:"INDEX UNIQUE(owner_repo_name)"`
+	Name        string             `xorm:"UNIQUE(owner_repo_name) NOT NULL"`
+	Data        string             `xorm:"LONGTEXT NOT NULL"`
+	CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
+	UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+}
+
+func init() {
+	db.RegisterModel(new(ActionVariable))
+}
+
+func (v *ActionVariable) Validate() error {
+	if v.OwnerID == 0 && v.RepoID == 0 {
+		return errors.New("the variable is not bound to any scope")
+	}
+	return nil
+}
+
+func InsertVariable(ctx context.Context, ownerID, repoID int64, name, data string) (*ActionVariable, error) {
+	variable := &ActionVariable{
+		OwnerID: ownerID,
+		RepoID:  repoID,
+		Name:    strings.ToUpper(name),
+		Data:    data,
+	}
+	if err := variable.Validate(); err != nil {
+		return variable, err
+	}
+	return variable, db.Insert(ctx, variable)
+}
+
+type FindVariablesOpts struct {
+	db.ListOptions
+	OwnerID int64
+	RepoID  int64
+}
+
+func (opts *FindVariablesOpts) toConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.OwnerID > 0 {
+		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	}
+	if opts.RepoID > 0 {
+		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
+	}
+	return cond
+}
+
+func FindVariables(ctx context.Context, opts FindVariablesOpts) ([]*ActionVariable, error) {
+	var variables []*ActionVariable
+	sess := db.GetEngine(ctx)
+	if opts.PageSize != 0 {
+		sess = db.SetSessionPagination(sess, &opts.ListOptions)
+	}
+	return variables, sess.Where(opts.toConds()).Find(&variables)
+}
+
+func GetVariableByID(ctx context.Context, variableID int64) (*ActionVariable, error) {
+	var variable ActionVariable
+	has, err := db.GetEngine(ctx).Where("id=?", variableID).Get(&variable)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, fmt.Errorf("variable with id %d: %w", variableID, util.ErrNotExist)
+	}
+	return &variable, nil
+}
+
+func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) {
+	count, err := db.GetEngine(ctx).ID(variable.ID).Cols("name", "data").
+		Update(&ActionVariable{
+			Name: variable.Name,
+			Data: variable.Data,
+		})
+	return count != 0, err
+}
@@ -503,6 +503,9 @@ var migrations = []Migration{
 
 	// v260 -> v261
 	NewMigration("Drop custom_labels column of action_runner table", v1_21.DropCustomLabelsColumnOfActionRunner),
+
+	// v261 -> v262
+	NewMigration("Add variable table", v1_21.CreateVariableTable),
 }
 
 // GetCurrentDBVersion returns the current db version
 
@@ -0,0 +1,24 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_21 //nolint
+
+import (
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func CreateVariableTable(x *xorm.Engine) error {
+	type ActionVariable struct {
+		ID          int64              `xorm:"pk autoincr"`
+		OwnerID     int64              `xorm:"UNIQUE(owner_repo_name)"`
+		RepoID      int64              `xorm:"INDEX UNIQUE(owner_repo_name)"`
+		Name        string             `xorm:"UNIQUE(owner_repo_name) NOT NULL"`
+		Data        string             `xorm:"LONGTEXT NOT NULL"`
+		CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+	}
+
+	return x.Sync(new(ActionVariable))
+}
@@ -5,38 +5,17 @@ package secret
 
 import (
 	"context"
-	"fmt"
-	"regexp"
+	"errors"
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
 	secret_module "code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
-	"code.gitea.io/gitea/modules/util"
 
 	"xorm.io/builder"
 )
 
-type ErrSecretInvalidValue struct {
-	Name *string
-	Data *string
-}
-
-func (err ErrSecretInvalidValue) Error() string {
-	if err.Name != nil {
-		return fmt.Sprintf("secret name %q is invalid", *err.Name)
-	}
-	if err.Data != nil {
-		return fmt.Sprintf("secret data %q is invalid", *err.Data)
-	}
-	return util.ErrInvalidArgument.Error()
-}
-
-func (err ErrSecretInvalidValue) Unwrap() error {
-	return util.ErrInvalidArgument
-}
-
 // Secret represents a secret
 type Secret struct {
 	ID          int64
@@ -74,24 +53,11 @@ func init() {
 	db.RegisterModel(new(Secret))
 }
 
-var (
-	secretNameReg            = regexp.MustCompile("^[A-Z_][A-Z0-9_]*$")
-	forbiddenSecretPrefixReg = regexp.MustCompile("^GIT(EA|HUB)_")
-)
-
-// Validate validates the required fields and formats.
 func (s *Secret) Validate() error {
-	switch {
-	case len(s.Name) == 0 || len(s.Name) > 50:
-		return ErrSecretInvalidValue{Name: &s.Name}
-	case len(s.Data) == 0:
-		return ErrSecretInvalidValue{Data: &s.Data}
-	case !secretNameReg.MatchString(s.Name) ||
-		forbiddenSecretPrefixReg.MatchString(s.Name):
-		return ErrSecretInvalidValue{Name: &s.Name}
-	default:
-		return nil
+	if s.OwnerID == 0 && s.RepoID == 0 {
+		return errors.New("the secret is not bound to any scope")
 	}
+	return nil
 }
 
 type FindSecretsOptions struct {
 
@@ -11,6 +11,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 
@@ -48,7 +49,7 @@ var defaultTransformers = []transformer{
 	{Name: "TITLE", Transform: util.ToTitleCase},
 }
 
-func generateExpansion(src string, templateRepo, generateRepo *repo_model.Repository) string {
+func generateExpansion(src string, templateRepo, generateRepo *repo_model.Repository, sanitizeFileName bool) string {
 	expansions := []expansion{
 		{Name: "REPO_NAME", Value: generateRepo.Name, Transformers: defaultTransformers},
 		{Name: "TEMPLATE_NAME", Value: templateRepo.Name, Transformers: defaultTransformers},
@@ -74,6 +75,9 @@ func generateExpansion(src string, templateRepo, generateRepo *repo_model.Reposi
 
 	return os.Expand(src, func(key string) string {
 		if expansion, ok := expansionMap[key]; ok {
+			if sanitizeFileName {
+				return fileNameSanitize(expansion)
+			}
 			return expansion
 		}
 		return key
@@ -191,10 +195,24 @@ func generateRepoCommit(ctx context.Context, repo, templateRepo, generateRepo *r
 						}
 
 						if err := os.WriteFile(path,
-							[]byte(generateExpansion(string(content), templateRepo, generateRepo)),
+							[]byte(generateExpansion(string(content), templateRepo, generateRepo, false)),
 							0o644); err != nil {
 							return err
 						}
+
+						substPath := filepath.FromSlash(filepath.Join(tmpDirSlash,
+							generateExpansion(base, templateRepo, generateRepo, true)))
+
+						// Create parent subdirectories if needed or continue silently if it exists
+						if err := os.MkdirAll(filepath.Dir(substPath), 0o755); err != nil {
+							return err
+						}
+
+						// Substitute filename variables
+						if err := os.Rename(path, substPath); err != nil {
+							return err
+						}
+
 						break
 					}
 				}
@@ -353,3 +371,13 @@ func GenerateRepository(ctx context.Context, doer, owner *user_model.User, templ
 
 	return generateRepo, nil
 }
+
+// Sanitize user input to valid OS filenames
+//
+//		Based on https://github.com/sindresorhus/filename-reserved-regex
+//	 Adds ".." to prevent directory traversal
+func fileNameSanitize(s string) string {
+	re := regexp.MustCompile(`(?i)\.\.|[<>:\"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
+
+	return strings.TrimSpace(re.ReplaceAllString(s, "_"))
+}
@@ -54,3 +54,14 @@ func TestGiteaTemplate(t *testing.T) {
 		})
 	}
 }
+
+func TestFileNameSanitize(t *testing.T) {
+	assert.Equal(t, "test_CON", fileNameSanitize("test_CON"))
+	assert.Equal(t, "test CON", fileNameSanitize("test CON "))
+	assert.Equal(t, "__traverse__", fileNameSanitize("../traverse/.."))
+	assert.Equal(t, "http___localhost_3003_user_test.git", fileNameSanitize("http://localhost:3003/user/test.git"))
+	assert.Equal(t, "_", fileNameSanitize("CON"))
+	assert.Equal(t, "_", fileNameSanitize("con"))
+	assert.Equal(t, "_", fileNameSanitize("\u0000"))
+	assert.Equal(t, "目标", fileNameSanitize("目标"))
+}
Original file line number	Diff line number	Diff line change
`@@ -503,6 +503,9 @@ var migrations = []Migration{`
`503`	`503`
`504`	`504`	`// v260 -> v261`
`505`	`505`	`NewMigration("Drop custom_labels column of action_runner table", v1_21.DropCustomLabelsColumnOfActionRunner),`
	`506`	`+`
	`507`	`+ // v261 -> v262`
	`508`	`+ NewMigration("Add variable table", v1_21.CreateVariableTable),`
`506`	`509`	`}`
`507`	`510`
`508`	`511`	`// GetCurrentDBVersion returns the current db version`