Use CleanPath instead of path.Clean (#23371)

As title.

modules/options/base.go

@@ -16,27 +16,27 @@ import (
 
 // Locale reads the content of a specific locale from static/bindata or custom path.
 func Locale(name string) ([]byte, error) {
-	return fileFromDir(path.Join("locale", path.Clean("/"+name)))
+	return fileFromDir(path.Join("locale", util.CleanPath(name)))
 }
 
 // Readme reads the content of a specific readme from static/bindata or custom path.
 func Readme(name string) ([]byte, error) {
-	return fileFromDir(path.Join("readme", path.Clean("/"+name)))
+	return fileFromDir(path.Join("readme", util.CleanPath(name)))
 }
 
 // Gitignore reads the content of a gitignore locale from static/bindata or custom path.
 func Gitignore(name string) ([]byte, error) {
-	return fileFromDir(path.Join("gitignore", path.Clean("/"+name)))
+	return fileFromDir(path.Join("gitignore", util.CleanPath(name)))
 }
 
 // License reads the content of a specific license from static/bindata or custom path.
 func License(name string) ([]byte, error) {
-	return fileFromDir(path.Join("license", path.Clean("/"+name)))
+	return fileFromDir(path.Join("license", util.CleanPath(name)))
 }
 
 // Labels reads the content of a specific labels from static/bindata or custom path.
 func Labels(name string) ([]byte, error) {
-	return fileFromDir(path.Join("label", path.Clean("/"+name)))
+	return fileFromDir(path.Join("label", util.CleanPath(name)))
 }
 
 // WalkLocales reads the content of a specific locale

modules/public/public.go

@@ -6,7 +6,6 @@ package public
 import (
 	"net/http"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 
@@ -14,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/httpcache"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 )
 
 // Options represents the available options to configure the handler.
@@ -103,7 +103,7 @@ func setWellKnownContentType(w http.ResponseWriter, file string) {
 
 func (opts *Options) handle(w http.ResponseWriter, req *http.Request, fs http.FileSystem, file string) bool {
 	// use clean to keep the file is a valid path with no . or ..
-	f, err := fs.Open(path.Clean(file))
+	f, err := fs.Open(util.CleanPath(file))
 	if err != nil {
 		if os.IsNotExist(err) {
 			return false

modules/storage/local.go

@@ -8,7 +8,6 @@ import (
 	"io"
 	"net/url"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 
@@ -59,7 +58,7 @@ func NewLocalStorage(ctx context.Context, cfg interface{}) (ObjectStorage, error
 }
 
 func (l *LocalStorage) buildLocalPath(p string) string {
-	return filepath.Join(l.dir, path.Clean("/" + strings.ReplaceAll(p, "\\", "/"))[1:])
+	return filepath.Join(l.dir, util.CleanPath(strings.ReplaceAll(p, "\\", "/")))
 }
 
 // Open a file

modules/storage/minio.go

@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
 
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
@@ -120,7 +121,7 @@ func NewMinioStorage(ctx context.Context, cfg interface{}) (ObjectStorage, error
 }
 
 func (m *MinioStorage) buildMinioPath(p string) string {
-	return strings.TrimPrefix(path.Join(m.basePath, path.Clean("/" + strings.ReplaceAll(p, "\\", "/"))[1:]), "/")
+	return strings.TrimPrefix(path.Join(m.basePath, util.CleanPath(strings.ReplaceAll(p, "\\", "/"))), "/")
 }
 
 // Open open a file

modules/util/path.go

@@ -14,6 +14,14 @@ import (
 	"strings"
 )
 
+// CleanPath ensure to clean the path
+func CleanPath(p string) string {
+	if strings.HasPrefix(p, "/") {
+		return path.Clean(p)
+	}
+	return path.Clean("/" + p)[1:]
+}
+
 // EnsureAbsolutePath ensure that a path is absolute, making it
 // relative to absoluteBase if necessary
 func EnsureAbsolutePath(path, absoluteBase string) string {

modules/util/path_test.go

@@ -136,3 +136,15 @@ func TestMisc_IsReadmeFileName(t *testing.T) {
 		assert.Equal(t, testCase.idx, idx)
 	}
 }
+
+func TestCleanPath(t *testing.T) {
+	cases := map[string]string{
+		"../../test": "test",
+		"/test":      "/test",
+		"/../test":   "/test",
+	}
+
+	for k, v := range cases {
+		assert.Equal(t, v, CleanPath(k))
+	}
+}