Add . to filename escape

Author: kdumontnu

modules/repository/generate.go

@@ -365,9 +365,10 @@ func GenerateRepository(ctx context.Context, doer, owner *user_model.User, templ
 
 // Escapes user input to valid OS filenames
 //
-//	https://github.com/sindresorhus/filename-reserved-regex
+//		Based on https://github.com/sindresorhus/filename-reserved-regex
+//	 Adds "." to prevend directory traversal
 func fileNameEscape(s string) string {
-	re := regexp.MustCompile(`(?i)[<>:\"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
+	re := regexp.MustCompile(`(?i)[\.<>:\"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
 
 	return re.ReplaceAllString(s, "_")
 }

modules/repository/generate_test.go

@@ -57,7 +57,7 @@ func TestGiteaTemplate(t *testing.T) {
 
 func TestFileNameEscape(t *testing.T) {
 	assert.Equal(t, "test_CON", fileNameEscape("test_CON"))
-	assert.Equal(t, "http___localhost_3003_user_test.git", fileNameEscape("http://localhost:3003/user/test.git"))
+	assert.Equal(t, "http___localhost_3003_user_test_git", fileNameEscape("http://localhost:3003/user/test.git"))
 	assert.Equal(t, "_", fileNameEscape("CON"))
 	assert.Equal(t, "_", fileNameEscape("con"))
 	assert.Equal(t, "_", fileNameEscape("\u0000"))