From fd285bfc4e57b36406cdb6047058a09b80f116da Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Wed, 29 Jan 2025 09:02:46 +0000
Subject: [PATCH] fix: disallow blame on directories (#6716)

- Don't allow the blame operation on directories.
- Added integration test.
- Resolves forgejo/forgejo#6533

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6716
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
---
 routers/web/repo/blame.go      |  5 +++++
 tests/integration/repo_test.go | 12 ++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/routers/web/repo/blame.go b/routers/web/repo/blame.go
index 4f962d4c19..c7fbaaefcb 100644
--- a/routers/web/repo/blame.go
+++ b/routers/web/repo/blame.go
@@ -56,6 +56,11 @@ func RefBlame(ctx *context.Context) {
 		HandleGitError(ctx, "Repo.Commit.GetTreeEntryByPath", err)
 		return
 	}
+	if entry.IsDir() {
+		ctx.NotFound("Cannot blame directory", nil)
+		return
+	}
+
 	blob := entry.Blob()
 
 	ctx.Data["PageIsViewCode"] = true
diff --git a/tests/integration/repo_test.go b/tests/integration/repo_test.go
index 90fc19c193..01d905895a 100644
--- a/tests/integration/repo_test.go
+++ b/tests/integration/repo_test.go
@@ -1462,3 +1462,15 @@ func TestRepoSubmoduleView(t *testing.T) {
 		htmlDoc.AssertElement(t, fmt.Sprintf(`tr[data-entryname="repo1"] a[href="%s"]`, u.JoinPath("/user2/repo1").String()), true)
 	})
 }
+
+func TestBlameDirectory(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// Ensure directory exists.
+	req := NewRequest(t, "GET", "/user2/repo59/src/branch/master/deep")
+	MakeRequest(t, req, http.StatusOK)
+
+	// Blame is not allowed
+	req = NewRequest(t, "GET", "/user2/repo59/blame/branch/master/deep")
+	MakeRequest(t, req, http.StatusNotFound)
+}