From cb0e788e98482b3cbf983bbecfb802a9cfaf2447 Mon Sep 17 00:00:00 2001 From: "Rafael G. Martins" Date: Thu, 10 Feb 2022 03:45:16 +0100 Subject: git-receiver: pre-receive: validate ref prefix --- src/blogc-git-receiver/pre-receive-parser.c | 4 +++- tests/blogc-git-receiver/check_pre_receive_parser.c | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/blogc-git-receiver/pre-receive-parser.c b/src/blogc-git-receiver/pre-receive-parser.c index 52b0b76..61a533c 100644 --- a/src/blogc-git-receiver/pre-receive-parser.c +++ b/src/blogc-git-receiver/pre-receive-parser.c @@ -64,7 +64,9 @@ bgr_pre_receive_parse(const char *input, size_t input_len) if (c != '\n') break; state = START_OLD; - if (current - start > 11) { + if ((current - start > 11) && + (0 == strncmp("refs/heads/", input + start, 11))) + { char *key = bc_strndup(input + start + 11, current - start - 11); bc_trie_insert(rv, key, bc_strndup(input + start_new, start - 1 - start_new)); free(key); diff --git a/tests/blogc-git-receiver/check_pre_receive_parser.c b/tests/blogc-git-receiver/check_pre_receive_parser.c index c431821..cad1421 100644 --- a/tests/blogc-git-receiver/check_pre_receive_parser.c +++ b/tests/blogc-git-receiver/check_pre_receive_parser.c @@ -43,6 +43,10 @@ test_pre_receive_parse(void **state) "4f1f932f6ef6d6c9770266775c2db072964d7a62 " "3fff4bb3172f77b292b0c913749e81bedd3545f3 " "refs/heads/master")); + assert_null(_bgr_pre_receive_parse( + "4f1f932f6ef6d6c9770266775c2db072964d7a62 " + "3fff4bb3172f77b292b0c913749e81bedd3545f3 " + "adgfdgdfgfdgdfgdfgdfgdfgdfg\n")); bc_trie_t *t; t = _bgr_pre_receive_parse( -- cgit v1.2.3-18-g5258