From c6937edf9843445866dbe3760835c5aa6d2f0cf2 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Sun, 1 Mar 2026 18:01:02 -0800 Subject: [PATCH 1/3] Fix dump release asset bug --- services/migrations/dump.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/services/migrations/dump.go b/services/migrations/dump.go index 04a4569a1209f..1d59f888b4d83 100644 --- a/services/migrations/dump.go +++ b/services/migrations/dump.go @@ -293,7 +293,9 @@ func (g *RepositoryDumper) CreateReleases(_ context.Context, releases ...*base.R return err } for _, asset := range release.Assets { - attachLocalPath := filepath.Join(attachDir, asset.Name) + p := uuid.New().String() + // we cannot use asset.Name because it might contains special characters. + attachLocalPath := filepath.Join(attachDir, p) // SECURITY: We cannot check the DownloadURL and DownloadFunc are safe here // ... we must assume that they are safe and simply download the attachment From 707fc17fdcf67435742e9f57ef643daa0261142b Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Sun, 1 Mar 2026 23:50:40 -0800 Subject: [PATCH 2/3] fix --- services/migrations/dump.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/migrations/dump.go b/services/migrations/dump.go index 1d59f888b4d83..64e507bf3b428 100644 --- a/services/migrations/dump.go +++ b/services/migrations/dump.go @@ -288,7 +288,8 @@ func (g *RepositoryDumper) CreateLabels(_ context.Context, labels ...*base.Label func (g *RepositoryDumper) CreateReleases(_ context.Context, releases ...*base.Release) error { if g.opts.ReleaseAssets { for _, release := range releases { - attachDir := filepath.Join("release_assets", release.TagName) + relDir := uuid.New().String() + attachDir := filepath.Join("release_assets", relDir) if err := os.MkdirAll(filepath.Join(g.baseDir, attachDir), os.ModePerm); err != nil { return err } From a228303f2195fa7a4dba9d487095636e05021dbf Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 2 Mar 2026 13:30:58 -0800 Subject: [PATCH 3/3] inline the change --- services/migrations/dump.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/services/migrations/dump.go b/services/migrations/dump.go index 64e507bf3b428..eb0367e9f94d7 100644 --- a/services/migrations/dump.go +++ b/services/migrations/dump.go @@ -288,15 +288,13 @@ func (g *RepositoryDumper) CreateLabels(_ context.Context, labels ...*base.Label func (g *RepositoryDumper) CreateReleases(_ context.Context, releases ...*base.Release) error { if g.opts.ReleaseAssets { for _, release := range releases { - relDir := uuid.New().String() - attachDir := filepath.Join("release_assets", relDir) + attachDir := filepath.Join("release_assets", uuid.New().String()) if err := os.MkdirAll(filepath.Join(g.baseDir, attachDir), os.ModePerm); err != nil { return err } for _, asset := range release.Assets { - p := uuid.New().String() // we cannot use asset.Name because it might contains special characters. - attachLocalPath := filepath.Join(attachDir, p) + attachLocalPath := filepath.Join(attachDir, uuid.New().String()) // SECURITY: We cannot check the DownloadURL and DownloadFunc are safe here // ... we must assume that they are safe and simply download the attachment