kot.pink / core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom

knotserver: reject '{did}/{name}/git-receive-pack' requests

tjh.dev 5139c88a ca454e92

options
unified split
Changed files
+14
knotserver
git.go
handler.go
+13
knotserver/git.go 
···

       
93

       
93

       
 

       
	}


     

       
94

       
94

       
 

       
}


     

       
95

       
95

       
 

       



     

       

       
96

       
+

       
func (d *Handle) ReceivePack(w http.ResponseWriter, r *http.Request) {


     

       

       
97

       
+

       
	did := chi.URLParam(r, "did")


     

       

       
98

       
+

       
	name := chi.URLParam(r, "name")


     

       

       
99

       
+

       
	_, err := securejoin.SecureJoin(d.c.Repo.ScanPath, filepath.Join(did, name))


     

       

       
100

       
+

       
	if err != nil {


     

       

       
101

       
+

       
		gitError(w, err.Error(), http.StatusForbidden)


     

       

       
102

       
+

       
		d.l.Error("git: failed to secure join repo path", "handler", "ReceivePack", "error", err)


     

       

       
103

       
+

       
		return


     

       

       
104

       
+

       
	}


     

       

       
105

       
+

       



     

       

       
106

       
+

       
	d.RejectPush(w, r, name)


     

       

       
107

       
+

       
}


     

       

       
108

       
+

       



     

       
96

       
109

       
 

       
func (d *Handle) RejectPush(w http.ResponseWriter, r *http.Request, unqualifiedRepoName string) {


     

       
97

       
110

       
 

       
	// A text/plain response will cause git to print each line of the body


     

       
98

       
111

       
 

       
	// prefixed with "remote: ".
+1
knotserver/handler.go 
···

       
83

       
83

       
 

       
			r.Get("/", h.RepoIndex)


     

       
84

       
84

       
 

       
			r.Get("/info/refs", h.InfoRefs)


     

       
85

       
85

       
 

       
			r.Post("/git-upload-pack", h.UploadPack)


     

       

       
86

       
+

       
			r.Post("/git-receive-pack", h.ReceivePack)


     

       
86

       
87

       
 

       
			r.Get("/compare/{rev1}/{rev2}", h.Compare) // git diff-tree compare of two objects


     

       
87

       
88

       
 

       



     

       
88

       
89

       
 

       
			r.With(h.VerifySignature).Post("/hidden-ref/{forkRef}/{remoteRef}", h.NewHiddenRef)