From ac03e65cf43fd009d02f1b067e6be5357dcf66f4 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Sat, 16 Aug 2025 10:43:59 +0800
Subject: [PATCH] Fix GitHub release assets URL validation (#35287) (#35290)

Backport #35287 by @alexblackie

GitHub changed where the attachments on releases are stored, which means
repo migrations with releases now fail because the redirect URLs don't
match the base URL validation. We need to update the base URL check to
check for the `release-assets` subdomain as well.

Co-authored-by: Alex Blackie <alex@blackie.ca>
---
 services/migrations/github.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/migrations/github.go b/services/migrations/github.go
index d0a0d719869..199ed38ddfe 100644
--- a/services/migrations/github.go
+++ b/services/migrations/github.go
@@ -354,7 +354,8 @@ func (g *GithubDownloaderV3) convertGithubRelease(ctx context.Context, rel *gith
 
 				// Prevent open redirect
 				if !hasBaseURL(redirectURL, g.baseURL) &&
-					!hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") {
+					!hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") &&
+					!hasBaseURL(redirectURL, "https://release-assets.githubusercontent.com/") {
 					WarnAndNotice("Unexpected AssetURL for assetID[%d] in %s: %s", asset.GetID(), g, redirectURL)
 
 					return io.NopCloser(strings.NewReader(redirectURL)), nil