Verify that repository has a valid name before autocreating it One could trivially push to 'ssh://hg@hg.sr.ht/~n/<script>alert("owo");', creating a mal-named repo: https://twitter.com/nabijaczleweli/status/1290748103981764609
1 files changed, 8 insertions(+), 0 deletions(-) M gitsrht-shell/main.go
M gitsrht-shell/main.go => gitsrht-shell/main.go +8 -0
@@ 9,6 9,7 @@ import ( "os/exec" gopath "path" "path/filepath" "regexp" "strconv" "strings" @@ "syscall" 261,6 262,13 @@ func main() { } if needsAccess == ACCESS_WRITE { if matched, _ := regexp.MatchString( `^[A-Za-z._-][A-Za-z0-9._-]*$`, repoName); !matched { log.Println("Name must match [A-Za-z._-][A-Za-z0-9._-]*.") notFound("name policy", nil) } repoOwnerId = pusherId repoOwnerName = pusherName repoVisibility = "autocreated"