go-gitea · techknowlogick · Nov 29, 2020 · Aug 30, 2019 · Aug 30, 2019 · Aug 30, 2019
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -1212,3 +1212,11 @@ STORAGE_TYPE = local
 ;MINIO_LOCATION = us-east-1
 ; Minio enabled ssl only available when STORAGE_TYPE is `minio`
 ;MINIO_USE_SSL = false
+
+[migration]
+; Whitelist for migrating, default is blank. Blank means everything will be allowed.
+; Multiple domains could be separated by commas.
+ALLOWLISTED_DOMAINS =
+; Blacklist for migrating, default is blank. Multiple domains could be separated by commas.
+; When WHITELISTED_DOMAINS is not blank, this option will be ignored.
+BLOCKLISTED_DOMAINS =
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -902,6 +902,11 @@ MINIO_USE_SSL = false
 
 And used by `[attachment]`, `[lfs]` and etc. as `STORAGE_TYPE`.
 
+## Migraions (`migration`)
+
+- `ALLOWLISTED_DOMAINS`: ****: Domains whitelist for migrating repositories, default is blank. It means everything will be allowed. Multiple domains could be separated by commas.
+- `BLOCKLISTED_DOMAINS`: ****: Domains blacklist for migrating repositories, default is blank. Multiple domains could be separated by commas. When `ALLOWLISTED_DOMAINS` is not blank, this option will be ignored.
+
 ## Other (`other`)
 
 - `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.

diff --git a/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md b/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
@@ -363,6 +363,11 @@ MINIO_USE_SSL = false
 
 然后你在 `[attachment]`, `[lfs]` 等中可以把这个名字用作 `STORAGE_TYPE` 的值。
 
+## Migraions (`migration`)
+
+- `ALLOWLISTED_DOMAINS`: ****: 迁移仓库的域名白名单，默认为空，表示允许从任意域名迁移仓库，多个域名用逗号分隔。
+- `BLOCKLISTED_DOMAINS`: ****: 迁移仓库的域名黑名单，默认为空，多个域名用逗号分隔。如果 `ALLOWLISTED_DOMAINS` 不为空，此选项将会被忽略。
+
 ## Other (`other`)
 
 - `SHOW_FOOTER_BRANDING`: 为真则在页面底部显示Gitea的字样。

diff --git a/modules/matchlist/matchlist.go b/modules/matchlist/matchlist.go
@@ -0,0 +1,48 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package matchlist
+
+import (
+	"strings"
+
+	"github.com/gobwas/glob"
+)
+
+// Matchlist represents a black or white list
+type Matchlist struct {
+	rules     []string
+	ruleGlobs []glob.Glob
+}
+
+// NewMatchlist creates a new black or white list
+func NewMatchlist(rules ...string) (*Matchlist, error) {
+	for i := range rules {
+		rules[i] = strings.ToLower(rules[i])
+	}
+	list := Matchlist{
+		rules:     rules,
+		ruleGlobs: make([]glob.Glob, 0, len(rules)),
+	}
+
+	for _, rule := range list.rules {
+		rg, err := glob.Compile(rule)
+		if err != nil {
+			return nil, err
+		}
+		list.ruleGlobs = append(list.ruleGlobs, rg)
+	}
+
+	return &list, nil
+}
+
+// Match will matches
+func (b *Matchlist) Match(u string) bool {
+	for _, r := range b.ruleGlobs {
+		if r.Match(u) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/modules/migrations/migrate.go b/modules/migrations/migrate.go
@@ -8,9 +8,12 @@ package migrations
 import (
 	"context"
 	"fmt"
+	"net/url"
+	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/matchlist"
 	"code.gitea.io/gitea/modules/migrations/base"
 	"code.gitea.io/gitea/modules/setting"
 )
@@ -27,12 +30,37 @@ func RegisterDownloaderFactory(factory base.DownloaderFactory) {
 	factories = append(factories, factory)
 }
 
+func isMigrateURLAllowed(remoteURL string) (bool, error) {
+	u, err := url.Parse(strings.ToLower(remoteURL))
+	if err != nil {
+		return false, err
+	}
+
+	if strings.EqualFold(u.Scheme, "http") || strings.EqualFold(u.Scheme, "https") {
+		if len(setting.Migration.AllowlistedDomains) > 0 {
+			if !allowlist.Match(u.Host) {
+				return false, fmt.Errorf("Migrate from %v is not allowed", u.Host)
+			}
+		} else {
+			if blocklist.Match(u.Host) {
+				return false, fmt.Errorf("Migrate from %v is not allowed", u.Host)
+			}
+		}
+	}
+
+	return true, nil
+}
+
 // MigrateRepository migrate repository according MigrateOptions
 func MigrateRepository(ctx context.Context, doer *models.User, ownerName string, opts base.MigrateOptions) (*models.Repository, error) {
+	allowed, err := isMigrateURLAllowed(opts.CloneAddr)
+	if !allowed {
+		return nil, err
+	}
+
 	var (
 		downloader base.Downloader
 		uploader   = NewGiteaLocalUploader(ctx, doer, ownerName, opts.RepoName)
-		err        error
 	)
 
 	for _, factory := range factories {
@@ -308,3 +336,23 @@ func migrateRepository(downloader base.Downloader, uploader base.Uploader, opts
 
 	return nil
 }
+
+var (
+	allowlist *matchlist.Matchlist
+	blocklist *matchlist.Matchlist
+)
+
+// Init migrations service
+func Init() error {
+	var err error
+	allowlist, err = matchlist.NewMatchlist(setting.Migration.AllowlistedDomains...)
+	if err != nil {
+		return fmt.Errorf("init migration allowlist domains failed: %v", err)
+	}
+
+	blocklist, err = matchlist.NewMatchlist(setting.Migration.BlocklistedDomains...)
+	if err != nil {
+		return fmt.Errorf("init migration blocklist domains failed: %v", err)
+	}
+	return nil
+}
diff --git a/modules/migrations/migrate_test.go b/modules/migrations/migrate_test.go
@@ -0,0 +1,38 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMigrateWhiteBlocklist(t *testing.T) {
+	setting.Migration.AllowlistedDomains = []string{"github.com"}
+	assert.NoError(t, Init())
+
+	allowed, err := isMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git")
+	assert.False(t, allowed)
+	assert.Error(t, err)
+
+	allowed, err = isMigrateURLAllowed("https://github.com/go-gitea/gitea.git")
+	assert.True(t, allowed)
+	assert.NoError(t, err)
+
+	setting.Migration.AllowlistedDomains = []string{}
+	setting.Migration.BlocklistedDomains = []string{"github.com"}
+	assert.NoError(t, Init())
+
+	allowed, err = isMigrateURLAllowed("https://gitlab.com/gitlab/gitlab.git")
+	assert.True(t, allowed)
+	assert.NoError(t, err)
+
+	allowed, err = isMigrateURLAllowed("https://github.com/go-gitea/gitea.git")
+	assert.False(t, allowed)
+	assert.Error(t, err)
+}
diff --git a/modules/setting/migrate.go b/modules/setting/migrate.go
@@ -0,0 +1,26 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package setting
+
+import (
+	"fmt"
+)
+
+// Migration represents migrations' settings
+var Migration = struct {
+	AllowlistedDomains []string
+	BlocklistedDomains []string
+}{
+	AllowlistedDomains: []string{},
+	BlocklistedDomains: []string{},
+}
+
+// InitMigrationConfig represents load migration configurations
+func InitMigrationConfig() error {
+	if err := Cfg.Section("migration").MapTo(&Migration); err != nil {
+		return fmt.Errorf("Failed to map Migration settings: %v", err)
+	}
+	return nil
+}
diff --git a/routers/init.go b/routers/init.go
@@ -24,6 +24,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/external"
+	repo_migrations "code.gitea.io/gitea/modules/migrations"
 	"code.gitea.io/gitea/modules/notification"
 	"code.gitea.io/gitea/modules/options"
 	"code.gitea.io/gitea/modules/setting"
@@ -201,6 +202,9 @@ func GlobalInit(ctx context.Context) {
 	if err := task.Init(); err != nil {
 		log.Fatal("Failed to initialize task scheduler: %v", err)
 	}
+	if err := repo_migrations.Init(); err != nil {
+		log.Fatal("Failed to initialize repository migrations: %v", err)
+	}
 	eventsource.GetManager().Init()
 
 	if setting.EnableSQLite3 {