~edwargix/git.sr.ht: api/graph: Disallow invalid names in updateRepository

6067e8806a28454da24da30093a71f81378a37ab — Adnan Maolood 2 years ago 9a9280f

api/graph: Disallow invalid names in updateRepository

patch browse .tar.gz

1 files changed, 11 insertions(+), 0 deletions(-)

M api/graph/schema.resolvers.go

M api/graph/schema.resolvers.go => api/graph/schema.resolvers.go +11 -0

@@ 254,6 254,17 @@ func (r *mutationResolver) UpdateRepository(ctx context.Context, id int, input m
 				return fmt.Errorf("Invalid type for 'name' field (expected string)")
 			}
 
+			if !repoNameRE.MatchString(name) {
+				return fmt.Errorf("Invalid repository name '%s' (must match %s)",
+					name, repoNameRE.String())
+			}
+			if name == "." || name == ".." {
+				return fmt.Errorf("Invalid repository name '%s' (must not be . or ..)", name)
+			}
+			if name == ".git" || name == ".hg" {
+				return fmt.Errorf("Invalid repository name '%s' (must not be .git or .hg)", name)
+			}
+
 			var origPath string
 			row := tx.QueryRowContext(ctx, `
 				INSERT INTO redirect (