Allow any ref, not just tags or branches #83
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* updates docs - adds extensive docs to Git, Util and Service - adds named function to events to trace errors more easily * fixes req to be typed http.IncomingMessage
…eHead slightly. These three methods are now chainable. (gabrielcsapo#27)
* makes authenticate more flexible - [BREAKING] changes the interface for authentication to make it more flexible - when error is sent back to client ensure error is string * updates readme and example * adds README notice
* fixes type to be the same as the event names * updates changelog
* adds https support * ensures options is set * updates readme and adds example for https * fixes lint * documents git ssl override
* gitignore update for visual studio, Buffer Fix gabrielcsapo#38 * Update util.js * Update service.js
It is currently possible to overwrite the `repoDir` by sending a repository name that starts with a "/", the `path.resolve` method prioritizes the second argument see the example below.
path.resolve("/my/repo/folder","/etc"); // /etc
This behavior gives an attacker the ability to create/write/pull repositories from an arbitrary absolute path, this issue could also impact authentication in some cases as it corrupts the repository name.
mattwynne
changed the title
mattwynne
changed the title
|
This is great, any updates on tests @mattwynne ? |
|
I'm afraid I haven't had any time to give this attention since I shared my spike code. I got stuck on #81 - because I want to trust my environment before I start adding more tests. |
|
I can unblock you on that this weekend! |
|
@mattwynne tests should be fixed, CI is now running via GitHub actions! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current regex for parsing a receive-pack payload assumes the ref will be of the form:
We'd like to be able to push arbitrary refs, like
The goal of this PR is to make that change, with tests and any neccesary changes to the outside API / internal model.
To do:
refs/one/two)