hg_helper: enforce repo description only contains printable character…

…s (Bug 1814230) r=zeid Differential Revision: https://phabricator.services.mozilla.com/D168748 --HG-- extra : moz-landing-system : lando
mozilla · Feb 6, 2023 · 32849ef · 32849ef
1 parent 7696811
commit 32849ef
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/hgserver/pash/hg_helper.py b/hgserver/pash/hg_helper.py
@@ -448,6 +448,14 @@ def get_user_repo_config(user: str, repo_dir: Path) -> Tuple[Path, RawConfigPars
     return path, config
 
 
+def clean_repo_description(description: str) -> str:
+    """Ensure the repo description contains valid characters and escape unsafe html."""
+    if not description.isprintable():
+        raise ValueError("Description must contain only printable characters.")
+
+    return escape(description)
+
+
 def edit_repo_description(repo_name: str, user: str, user_repo_dir: str):
     print(EDIT_DESCRIPTION.format(user_dir=user_repo_dir, repo=repo_name))
     selection = prompt_user("Proceed?", ["yes", "no"])
@@ -468,7 +476,11 @@ def edit_repo_description(repo_name: str, user: str, user_repo_dir: str):
     if repo_description == "":
         return
 
-    repo_description = escape(repo_description)
+    try:
+        repo_description = clean_repo_description(repo_description)
+    except ValueError as err:
+        sys.stderr.write(f"\n{str(err)}")
+        sys.exit(1)
 
     config_path, config = get_user_repo_config(user, repo_path)
 

diff --git a/hgserver/tests/test-edit-description.t b/hgserver/tests/test-edit-description.t
@@ -93,6 +93,36 @@ Check that multi-line inputs are handled correctly.
   [web]
   description = Description
   
+Check that disallowed characters are handled correctly.
+
+  $ export BADDESCRIPTION=`python -c "print('Description\\tHi!')"`
+  $ standarduserssh $SSH_SERVER edit repo-1 << EOF
+  > 2
+  > 1
+  > $BADDESCRIPTION
+  > EOF
+  
+  0) Exit.
+  1) Delete the repository.
+  2) Edit the description.
+  3) Mark repository as non-publishing.
+  4) Mark repository as publishing.
+  5) Enable obsolescence support (experimental).
+  6) Disable obsolescence support.
+  
+  What would you like to do? You are about to edit the description for hg.mozilla.org/users/user_example.com/repo-1.
+  
+  If you need to edit the description for a top level repo, please quit now
+  and file a Developer Services :: hg.mozilla.org bug at
+  https://bugzilla.mozilla.org/enter_bug.cgi?product=Developer%20Services&component=Mercurial%3A%20hg.mozilla.org
+  
+  0) Exit.
+  1) yes.
+  2) no.
+  
+  Proceed? Enter a one line descripton for the repository: 
+  Description must contain only printable characters. (no-eol)
+  [1]
 
 
 Check that HTML characters are escaped correctly.