tangled.org / core
Monorepo for Tangled tangled.org
fork atom

appview: state: verify if commit is a valid hash before fetching

Fixes a crash when viewing a single commit, and possibly appending something like `.patch` to the end of it. The `result` from the knotserver is nil and then leads to a nil pointer deref later.

authored by anirudh.fi and committed by Tangled 4793720c e50e3319

options
unified split
Changed files
+7
appview
state
repo.go
+7
appview/state/repo.go
··· 21 "github.com/bluesky-social/indigo/atproto/syntax" 22 securejoin "github.com/cyphar/filepath-securejoin" 23 "github.com/go-chi/chi/v5" 24 "tangled.sh/tangled.sh/core/api/tangled" 25 "tangled.sh/tangled.sh/core/appview/auth" 26 "tangled.sh/tangled.sh/core/appview/db" ··· 248 if !s.config.Dev { 249 protocol = "https" 250 } 251 resp, err := http.Get(fmt.Sprintf("%s://%s/%s/%s/commit/%s", protocol, f.Knot, f.OwnerDid(), f.RepoName, ref)) 252 if err != nil { 253 log.Println("failed to reach knotserver", err)
··· 21 "github.com/bluesky-social/indigo/atproto/syntax" 22 securejoin "github.com/cyphar/filepath-securejoin" 23 "github.com/go-chi/chi/v5" 24 + "github.com/go-git/go-git/v5/plumbing" 25 "tangled.sh/tangled.sh/core/api/tangled" 26 "tangled.sh/tangled.sh/core/appview/auth" 27 "tangled.sh/tangled.sh/core/appview/db" ··· 249 if !s.config.Dev { 250 protocol = "https" 251 } 252 + 253 + if !plumbing.IsHash(ref) { 254 + s.pages.Error404(w) 255 + return 256 + } 257 + 258 resp, err := http.Get(fmt.Sprintf("%s://%s/%s/%s/commit/%s", protocol, f.Knot, f.OwnerDid(), f.RepoName, ref)) 259 if err != nil { 260 log.Println("failed to reach knotserver", err)