`GetRepositoryByName` shouldn't find a repository if name is empty

[tik-stbuehler]

Description

Hi,

URLs with an empty repository name before .git find "random" repositories.

Example: https://gitea.com/gitea/.git/info/refs

As far as I can tell this happends because:

1. The "githttp"-handling will strip .git from the :reponame path parameter, i.e. ending up with an empty string:

gitea/routers/web/repo/githttp.go

Lines 59 to 107 in 4b376a0

	func httpBase(ctx *context.Context) *serviceHandler {
	username := ctx.PathParam(":username")
	reponame := strings.TrimSuffix(ctx.PathParam(":reponame"), ".git")
	if ctx.FormString("go-get") == "1" {
	context.EarlyResponseForGoGetMeta(ctx)
	return nil
	}
	var isPull, receivePack bool
	service := ctx.FormString("service")
	if service == "git-receive-pack" ||
	strings.HasSuffix(ctx.Req.URL.Path, "git-receive-pack") {
	isPull = false
	receivePack = true
	} else if service == "git-upload-pack" ||
	strings.HasSuffix(ctx.Req.URL.Path, "git-upload-pack") {
	isPull = true
	} else if service == "git-upload-archive" ||
	strings.HasSuffix(ctx.Req.URL.Path, "git-upload-archive") {
	isPull = true
	} else {
	isPull = ctx.Req.Method == "GET"
	}
	var accessMode perm.AccessMode
	if isPull {
	accessMode = perm.AccessModeRead
	} else {
	accessMode = perm.AccessModeWrite
	}
	isWiki := false
	unitType := unit.TypeCode
	if strings.HasSuffix(reponame, ".wiki") {
	isWiki = true
	unitType = unit.TypeWiki
	reponame = reponame[:len(reponame)-5]
	}
	owner := ctx.ContextUser
	if !owner.IsOrganization() && !owner.IsActive {
	ctx.PlainText(http.StatusForbidden, "Repository cannot be accessed. You cannot push or open issues/pull-requests.")
	return nil
	}
	repoExist := true
	repo, err := repo_model.GetRepositoryByName(ctx, owner.ID, reponame)

2. GetRepositoryByName uses some magic "Get" method on an partially initialized object, passing an empty string as LowerName - but empty fields are likely not used in the WHERE filter string for the databse.

gitea/models/repo/repo.go

Lines 747 to 759 in 4b376a0

	func GetRepositoryByName(ctx context.Context, ownerID int64, name string) (*Repository, error) {
	repo := &Repository{
	OwnerID: ownerID,
	LowerName: strings.ToLower(name),
	}
	has, err := db.GetEngine(ctx).Get(repo)
	if err != nil {
	return nil, err
	} else if !has {
	return nil, ErrRepoNotExist{0, ownerID, "", name}
	}
	return repo, err
	}

Imho the most reliable solution is for GetRepositoryByName not to find repositories with empty names.

cheers,
Stefan

Gitea Version

gitea.com doesn't say

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

gitea.com is your instance.

Database

None