From 6067e8806a28454da24da30093a71f81378a37ab Mon Sep 17 00:00:00 2001
From: Adnan Maolood <me@adnano.co>
Date: Thu, 13 Jan 2022 13:25:15 -0500
Subject: [PATCH] api/graph: Disallow invalid names in updateRepository

---
 api/graph/schema.resolvers.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/api/graph/schema.resolvers.go b/api/graph/schema.resolvers.go
index b7e1546..19a98bb 100644
--- a/api/graph/schema.resolvers.go
+++ b/api/graph/schema.resolvers.go
@@ -254,6 +254,17 @@ func (r *mutationResolver) UpdateRepository(ctx context.Context, id int, input m
 				return fmt.Errorf("Invalid type for 'name' field (expected string)")
 			}
 
+			if !repoNameRE.MatchString(name) {
+				return fmt.Errorf("Invalid repository name '%s' (must match %s)",
+					name, repoNameRE.String())
+			}
+			if name == "." || name == ".." {
+				return fmt.Errorf("Invalid repository name '%s' (must not be . or ..)", name)
+			}
+			if name == ".git" || name == ".hg" {
+				return fmt.Errorf("Invalid repository name '%s' (must not be .git or .hg)", name)
+			}
+
 			var origPath string
 			row := tx.QueryRowContext(ctx, `
 				INSERT INTO redirect (
-- 
2.38.4