Add support for different Maven POM encoding (#25873)

KN4CK3R · web-flow · commit bd82d8974e84 · 2023-07-14T09:39:15.000Z
Fixes #25853 - Maven POM files aren't always UTF-8 encoded. - Reject the upload of unparsable POM files
diff --git a/modules/packages/maven/metadata.go b/modules/packages/maven/metadata.go
@@ -8,6 +8,8 @@ import (
 	"io"
 
 	"code.gitea.io/gitea/modules/validation"
+
+	"golang.org/x/net/html/charset"
 )
 
 // Metadata represents the metadata of a Maven package
@@ -52,7 +54,10 @@ type pomStruct struct {
 // ParsePackageMetaData parses the metadata of a pom file
 func ParsePackageMetaData(r io.Reader) (*Metadata, error) {
 	var pom pomStruct
-	if err := xml.NewDecoder(r).Decode(&pom); err != nil {
+
+	dec := xml.NewDecoder(r)
+	dec.CharsetReader = charset.NewReaderLabel
+	if err := dec.Decode(&pom); err != nil {
 		return nil, err
 	}
 
diff --git a/modules/packages/maven/metadata_test.go b/modules/packages/maven/metadata_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/text/encoding/charmap"
 )
 
 const (
@@ -69,4 +70,20 @@ func TestParsePackageMetaData(t *testing.T) {
 		assert.Equal(t, dependencyArtifactID, m.Dependencies[0].ArtifactID)
 		assert.Equal(t, dependencyVersion, m.Dependencies[0].Version)
 	})
+
+	t.Run("Encoding", func(t *testing.T) {
+		// UTF-8 is default but the metadata could be encoded differently
+		pomContent8859_1, err := charmap.ISO8859_1.NewEncoder().String(
+			strings.ReplaceAll(
+				pomContent,
+				`<?xml version="1.0"?>`,
+				`<?xml version="1.0" encoding="ISO-8859-1"?>`,
+			),
+		)
+		assert.NoError(t, err)
+
+		m, err := ParsePackageMetaData(strings.NewReader(pomContent8859_1))
+		assert.NoError(t, err)
+		assert.NotNil(t, m)
+	})
 }
diff --git a/routers/api/packages/maven/maven.go b/routers/api/packages/maven/maven.go
@@ -49,6 +49,11 @@ var (
 
 func apiError(ctx *context.Context, status int, obj any) {
 	helper.LogAndProcessError(ctx, status, obj, func(message string) {
+		// The maven client does not present the error message to the user. Log it for users with access to server logs.
+		if status == http.StatusBadRequest || status == http.StatusInternalServerError {
+			log.Error(message)
+		}
+
 		ctx.PlainText(status, message)
 	})
 }
@@ -320,7 +325,8 @@ func UploadPackageFile(ctx *context.Context) {
 		var err error
 		pvci.Metadata, err = maven_module.ParsePackageMetaData(buf)
 		if err != nil {
-			log.Error("Error parsing package metadata: %v", err)
+			apiError(ctx, http.StatusBadRequest, err)
+			return
 		}
 
 		if pvci.Metadata != nil {
