forked from
tangled.org/core
Monorepo for Tangled
appview: block arbitrary compares
stopgap to deter bots
Signed-off-by: oppiliappan <me@oppi.li>
+8
+8
appview/repo/compare.go
+8
appview/repo/compare.go
···
5
5
"fmt"
6
6
"net/http"
7
7
"net/url"
8
+
"regexp"
8
9
"strings"
9
10
10
11
"tangled.org/core/api/tangled"
···
16
17
indigoxrpc "github.com/bluesky-social/indigo/xrpc"
17
18
"github.com/go-chi/chi/v5"
18
19
)
20
+
21
+
var shaPattern = regexp.MustCompile(`^[0-9a-f]{4,40}$`)
19
22
20
23
func (rp *Repo) CompareNew(w http.ResponseWriter, r *http.Request) {
21
24
l := rp.logger.With("handler", "RepoCompareNew")
···
129
132
if base == "" || head == "" {
130
133
l.Error("invalid comparison")
131
134
rp.pages.Error404(w)
135
+
return
136
+
}
137
+
138
+
if shaPattern.MatchString(base) || shaPattern.MatchString(head) {
139
+
http.Error(w, "comparing by commit SHA is not allowed, use a branch or tag name", http.StatusForbidden)
132
140
return
133
141
}
134
142