~edwargix/git.sr.ht: Verify that repository has a valid name before autocreating it

10a89169c2f2380fef475da9b518ccb5fc07db10 — наб 4 years ago e908b80

Verify that repository has a valid name before autocreating it

One could trivially push to 'ssh://hg@hg.sr.ht/~n/<script>alert("owo");',
creating a mal-named repo:
  https://twitter.com/nabijaczleweli/status/1290748103981764609

patch browse .tar.gz

1 files changed, 8 insertions(+), 0 deletions(-)

M gitsrht-shell/main.go

M gitsrht-shell/main.go => gitsrht-shell/main.go +8 -0

@@ 9,6 9,7 @@ import (
 	"os/exec"
 	gopath "path"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"syscall"


@@ 261,6 262,13 @@ func main() {
 			}
 
 			if needsAccess == ACCESS_WRITE {
+				if matched, _ := regexp.MatchString(
+					`^[A-Za-z._-][A-Za-z0-9._-]*$`, repoName); !matched {
+
+					log.Println("Name must match [A-Za-z._-][A-Za-z0-9._-]*.")
+					notFound("name policy", nil)
+				}
+
 				repoOwnerId = pusherId
 				repoOwnerName = pusherName
 				repoVisibility = "autocreated"