julien.rbrt.fr / tangled-core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom

knotserver: reject '{did}/{name}/git-receive-pack' requests

authored by tjh.dev and committed by Tangled 5139c88a ca454e92

options
unified split
Changed files
+14
knotserver
git.go
handler.go
+13
knotserver/git.go
··· 93 93 } 94 94 } 95 95 96 + func (d *Handle) ReceivePack(w http.ResponseWriter, r *http.Request) { 97 + did := chi.URLParam(r, "did") 98 + name := chi.URLParam(r, "name") 99 + _, err := securejoin.SecureJoin(d.c.Repo.ScanPath, filepath.Join(did, name)) 100 + if err != nil { 101 + gitError(w, err.Error(), http.StatusForbidden) 102 + d.l.Error("git: failed to secure join repo path", "handler", "ReceivePack", "error", err) 103 + return 104 + } 105 + 106 + d.RejectPush(w, r, name) 107 + } 108 + 96 109 func (d *Handle) RejectPush(w http.ResponseWriter, r *http.Request, unqualifiedRepoName string) { 97 110 // A text/plain response will cause git to print each line of the body 98 111 // prefixed with "remote: ".
+1
knotserver/handler.go
··· 83 83 r.Get("/", h.RepoIndex) 84 84 r.Get("/info/refs", h.InfoRefs) 85 85 r.Post("/git-upload-pack", h.UploadPack) 86 + r.Post("/git-receive-pack", h.ReceivePack) 86 87 r.Get("/compare/{rev1}/{rev2}", h.Compare) // git diff-tree compare of two objects 87 88 88 89 r.With(h.VerifySignature).Post("/hidden-ref/{forkRef}/{remoteRef}", h.NewHiddenRef)