From 5ec5570e172da798bf3277fad43c07d5ae63246d Mon Sep 17 00:00:00 2001
From: Ayman Bagabas <ayman.bagabas@gmail.com>
Date: Fri, 7 Apr 2023 11:42:02 -0400
Subject: [PATCH] feat(backend): validate repo name

only allow alphanumeric, dashes, underscores, periods, and slashes
---
 server/backend/sqlite/sqlite.go | 15 +++++++++++++++
 server/utils/utils.go           | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/server/backend/sqlite/sqlite.go b/server/backend/sqlite/sqlite.go
index f3ffc7e62..d3dcb81ad 100644
--- a/server/backend/sqlite/sqlite.go
+++ b/server/backend/sqlite/sqlite.go
@@ -123,6 +123,10 @@ func (d *SqliteBackend) SetAnonAccess(level backend.AccessLevel) error {
 // It implements backend.Backend.
 func (d *SqliteBackend) CreateRepository(name string, opts backend.RepositoryOptions) (backend.Repository, error) {
 	name = utils.SanitizeRepo(name)
+	if err := utils.ValidateRepo(name); err != nil {
+		return nil, err
+	}
+
 	repo := name + ".git"
 	rp := filepath.Join(d.reposPath(), repo)
 
@@ -165,6 +169,10 @@ func (d *SqliteBackend) CreateRepository(name string, opts backend.RepositoryOpt
 // ImportRepository imports a repository from remote.
 func (d *SqliteBackend) ImportRepository(name string, remote string, opts backend.RepositoryOptions) (backend.Repository, error) {
 	name = utils.SanitizeRepo(name)
+	if err := utils.ValidateRepo(name); err != nil {
+		return nil, err
+	}
+
 	repo := name + ".git"
 	rp := filepath.Join(d.reposPath(), repo)
 
@@ -217,7 +225,14 @@ func (d *SqliteBackend) DeleteRepository(name string) error {
 // It implements backend.Backend.
 func (d *SqliteBackend) RenameRepository(oldName string, newName string) error {
 	oldName = utils.SanitizeRepo(oldName)
+	if err := utils.ValidateRepo(oldName); err != nil {
+		return err
+	}
+
 	newName = utils.SanitizeRepo(newName)
+	if err := utils.ValidateRepo(newName); err != nil {
+		return err
+	}
 	oldRepo := oldName + ".git"
 	newRepo := newName + ".git"
 	op := filepath.Join(d.reposPath(), oldRepo)
diff --git a/server/utils/utils.go b/server/utils/utils.go
index e6fcc332c..f3b01eb30 100644
--- a/server/utils/utils.go
+++ b/server/utils/utils.go
@@ -33,3 +33,18 @@ func ValidateUsername(username string) error {
 
 	return nil
 }
+
+// ValidateRepo returns an error if the given repository name is invalid.
+func ValidateRepo(repo string) error {
+	if repo == "" {
+		return fmt.Errorf("repo cannot be empty")
+	}
+
+	for _, r := range repo {
+		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' && r != '.' && r != '/' {
+			return fmt.Errorf("repo can only contain letters, numbers, hyphens, underscores, periods, and slashes")
+		}
+	}
+
+	return nil
+}