Skip to content

Commit 9486f28

Browse files
wxiaoguangwxiaoguang
committed
improve regex, fix tests
1 parent f756fc7 commit 9486f28

File tree

3 files changed

+80
-6
lines changed

3 files changed

+80
-6
lines changed

routers/api/packages/generic/generic.go

+19-5
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
"net/http"
99
"regexp"
1010
"strings"
11+
"unicode"
1112

1213
packages_model "code.gitea.io/gitea/models/packages"
1314
"code.gitea.io/gitea/modules/log"
@@ -18,8 +19,8 @@ import (
1819
)
1920

2021
var (
21-
packageNameRegex = regexp.MustCompile(`\A[-_+.A-Za-z0-9]+\z`)
22-
filenameRegex = regexp.MustCompile(`\A[-_+=:;.()\[\]{}~!@#$%^& A-Za-z0-9]+\z`)
22+
packageNameRegex = regexp.MustCompile(`\A[-_+.\w]+\z`)
23+
filenameRegex = regexp.MustCompile(`\A[-_+=:;.()\[\]{}~!@#$%^& \w]+\z`)
2324
)
2425

2526
func apiError(ctx *context.Context, status int, obj any) {
@@ -54,20 +55,33 @@ func DownloadPackageFile(ctx *context.Context) {
5455
helper.ServePackageFile(ctx, s, u, pf)
5556
}
5657

58+
func isValidPackageName(packageName string) bool {
59+
if len(packageName) == 1 && !unicode.IsLetter(rune(packageName[0])) {
60+
return false
61+
}
62+
return packageNameRegex.MatchString(packageName) && packageName != ".."
63+
}
64+
65+
func isValidFileName(filename string) bool {
66+
return filenameRegex.MatchString(filename) &&
67+
strings.TrimSpace(filename) == filename &&
68+
filename != "." && filename != ".."
69+
}
70+
5771
// UploadPackage uploads the specific generic package.
5872
// Duplicated packages get rejected.
5973
func UploadPackage(ctx *context.Context) {
6074
packageName := ctx.Params("packagename")
6175
filename := ctx.Params("filename")
6276

63-
if !packageNameRegex.MatchString(packageName) || !filenameRegex.MatchString(filename) {
64-
apiError(ctx, http.StatusBadRequest, errors.New("Invalid package name or filename"))
77+
if !isValidPackageName(packageName) || isValidFileName(filename) {
78+
apiError(ctx, http.StatusBadRequest, errors.New("invalid package name or filename"))
6579
return
6680
}
6781

6882
packageVersion := ctx.Params("packageversion")
6983
if packageVersion != strings.TrimSpace(packageVersion) {
70-
apiError(ctx, http.StatusBadRequest, errors.New("Invalid package version"))
84+
apiError(ctx, http.StatusBadRequest, errors.New("invalid package version"))
7185
return
7286
}
7387

routers/api/packages/generic/generic_test.go

+60
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
package generic
2+
3+
import (
4+
"testing"
5+
6+
"github.com/stretchr/testify/assert"
7+
)
8+
9+
func TestValidatePackageName(t *testing.T) {
10+
bad := []string{
11+
"",
12+
".",
13+
"..",
14+
"-",
15+
"a?b",
16+
"a b",
17+
"a/b",
18+
}
19+
for _, name := range bad {
20+
assert.False(t, isValidPackageName(name), "bad=%q", name)
21+
}
22+
23+
good := []string{
24+
"a",
25+
"a-",
26+
"a_b",
27+
"c.d+",
28+
}
29+
for _, name := range good {
30+
assert.True(t, isValidPackageName(name), "good=%q", name)
31+
}
32+
}
33+
34+
func TestValidateFileName(t *testing.T) {
35+
bad := []string{
36+
"",
37+
".",
38+
"..",
39+
"a?b",
40+
"a/b",
41+
" a",
42+
"a ",
43+
}
44+
for _, name := range bad {
45+
assert.False(t, isValidFileName(name), "bad=%q", name)
46+
}
47+
48+
good := []string{
49+
"-",
50+
"a",
51+
"a-",
52+
"a_b",
53+
"a b",
54+
"c.d+",
55+
`-_+=:;.()[]{}~!@#$%^& aA1`,
56+
}
57+
for _, name := range good {
58+
assert.True(t, isValidFileName(name), "good=%q", name)
59+
}
60+
}

tests/integration/api_packages_generic_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ func TestPackageGeneric(t *testing.T) {
8484
t.Run("InvalidParameter", func(t *testing.T) {
8585
defer tests.PrintCurrentTest(t)()
8686

87-
req := NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, "invalid+package name", packageVersion, filename), bytes.NewReader(content)).
87+
req := NewRequestWithBody(t, "PUT", fmt.Sprintf("/api/packages/%s/generic/%s/%s/%s", user.Name, "invalid|package name", packageVersion, filename), bytes.NewReader(content)).
8888
AddBasicAuth(user.Name)
8989
MakeRequest(t, req, http.StatusBadRequest)
9090

0 commit comments

Comments
 (0)