Skip to content

Commit

Permalink
feat(backend): validate repo name
Browse files Browse the repository at this point in the history 
only allow alphanumeric, dashes, underscores, periods, and slashes
  • Loading branch information
@aymanbagabas
aymanbagabas committed May 2, 2023
1 parent 6d9fc69 commit 5ec5570
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
15 changes: 15 additions & 0 deletions server/backend/sqlite/sqlite.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,10 @@ func (d *SqliteBackend) SetAnonAccess(level backend.AccessLevel) error {
// It implements backend.Backend.
func (d *SqliteBackend) CreateRepository(name string, opts backend.RepositoryOptions) (backend.Repository, error) {
name = utils.SanitizeRepo(name)
if err := utils.ValidateRepo(name); err != nil {
return nil, err
}

repo := name + ".git"
rp := filepath.Join(d.reposPath(), repo)

Expand Down Expand Up @@ -165,6 +169,10 @@ func (d *SqliteBackend) CreateRepository(name string, opts backend.RepositoryOpt
// ImportRepository imports a repository from remote.
func (d *SqliteBackend) ImportRepository(name string, remote string, opts backend.RepositoryOptions) (backend.Repository, error) {
name = utils.SanitizeRepo(name)
if err := utils.ValidateRepo(name); err != nil {
return nil, err
}

repo := name + ".git"
rp := filepath.Join(d.reposPath(), repo)

Expand Down Expand Up @@ -217,7 +225,14 @@ func (d *SqliteBackend) DeleteRepository(name string) error {
// It implements backend.Backend.
func (d *SqliteBackend) RenameRepository(oldName string, newName string) error {
oldName = utils.SanitizeRepo(oldName)
if err := utils.ValidateRepo(oldName); err != nil {
return err
}

newName = utils.SanitizeRepo(newName)
if err := utils.ValidateRepo(newName); err != nil {
return err
}
oldRepo := oldName + ".git"
newRepo := newName + ".git"
op := filepath.Join(d.reposPath(), oldRepo)
Expand Down
15 changes: 15 additions & 0 deletions server/utils/utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,18 @@ func ValidateUsername(username string) error {

return nil
}

// ValidateRepo returns an error if the given repository name is invalid.
func ValidateRepo(repo string) error {
if repo == "" {
return fmt.Errorf("repo cannot be empty")
}

for _, r := range repo {
if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' && r != '.' && r != '/' {
return fmt.Errorf("repo can only contain letters, numbers, hyphens, underscores, periods, and slashes")
}
}

return nil
}

0 comments on commit 5ec5570

Please sign in to comment.