Tweaks to allowed characters.

mbostock · Feb 11, 2013 · 2540486 · 2540486
1 parent 214c655
commit 2540486
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/index.js b/index.js
@@ -3,13 +3,14 @@ var child = require("child_process"),
     path = require("path");
 
 // Since we have to exec git rev-parse, make sure the arguments are safe.
-var safeRe = /^[0-9a-z_.~/ ][0-9a-z_.~/- ]*$/i,
-    shaRe = /^[0-9a-f]{40}$/;
+var shaRe = /^[0-9a-f]{40}$/,
+    revisionRe = /^[0-9a-z]+([_-][0-9a-z]+)*([^~0-9])*$/i,
+    repositoryRe = /^[0-9a-z]+([_-][0-9a-z]+)*$/i,
+    branchRe = repositoryRe;
 
 function readBlob(repository, revision, file, callback) {
-  if (!safeRe.test(repository)) return callback(new Error("invalid repository name"));
-  if (!safeRe.test(revision)) return callback(new Error("invalid revision name"));
-  if (!safeRe.test(file)) return callback(new Error("invalid file name"));
+  if (!repositoryRe.test(repository)) return callback(new Error("invalid repository name"));
+  if (!revisionRe.test(revision)) return callback(new Error("invalid revision name"));
 
   var git = child.spawn("git", ["cat-file", "blob", revision + ":" + file], {cwd: repository}),
       data = [],
@@ -34,25 +35,25 @@ function readBlob(repository, revision, file, callback) {
 exports.readBlob = readBlob;
 
 exports.getBranches = function(repository, callback) {
-  if (!safeRe.test(repository)) return callback(new Error("invalid repository name"));
+  if (!repositoryRe.test(repository)) return callback(new Error("invalid repository name"));
   child.exec("git branch -l", {cwd: repository}, function(error, stdout) {
     if (error) return callback(error);
     callback(null, stdout.split(/\n/).slice(0, -1).map(function(s) { return s.slice(2); }));
   });
 };
 
 exports.getSha = function(repository, revision, callback) {
-  if (!safeRe.test(repository)) return callback(new Error("invalid repository name"));
-  if (!safeRe.test(revision)) return callback(new Error("invalid revision name"));
+  if (!repositoryRe.test(repository)) return callback(new Error("invalid repository name"));
+  if (!revisionRe.test(revision)) return callback(new Error("invalid revision name"));
   child.exec("git rev-parse \"" + revision + "\"", {cwd: repository}, function(error, stdout) {
     if (error) return callback(error);
     callback(null, stdout.trim());
   });
 };
 
 exports.getRelatedCommits = function(repository, branch, sha, callback) {
-  if (!safeRe.test(repository)) return callback(new Error("invalid repository name"));
-  if (!safeRe.test(branch)) return callback(new Error("invalid branch name"));
+  if (!repositoryRe.test(repository)) return callback(new Error("invalid repository name"));
+  if (!branchRe.test(branch)) return callback(new Error("invalid branch name"));
   if (!shaRe.test(sha)) return callback(new Error("invalid sha name"));
   child.exec("git log --format='%H' \"" + branch + "\" | grep -C1 " + sha, {cwd: repository}, function(error, stdout) {
     if (error) return callback(error);