git_misc: Sanitize paths

author: Runxi Yu <me@runxiyu.org> 2025-02-11 17:31:30 +0800
committer: Runxi Yu <me@runxiyu.org> 2025-02-11 17:31:30 +0800
commit: 1486b0df1b04adc32e9207b836513226e8015b3e (patch)
tree: 60e7b9cfdab457a92654c24150bbeb1658d10d29 /git_misc.go
parent: go.mod: Bump dependencies (diff)
download: forge-1486b0df1b04adc32e9207b836513226e8015b3e.tar.gz
forge-1486b0df1b04adc32e9207b836513226e8015b3e.tar.zst
forge-1486b0df1b04adc32e9207b836513226e8015b3e.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/git_misc.go b/git_misc.go
index a5bcc9e..3aded4f 100644
--- a/git_misc.go
+++ b/git_misc.go
@@ -12,7 +12,17 @@ import (
 	"go.lindenii.runxiyu.org/lindenii-common/misc"
 )
 
+var err_unsafe_path = errors.New("Unsafe path")
+
 func open_git_repo(group_name, repo_name string) (*git.Repository, error) {
+	group_name, group_name_ok := misc.Sanitize_path(group_name)
+	if !group_name_ok {
+		return nil, err_unsafe_path
+	}
+	repo_name, repo_name_ok := misc.Sanitize_path(repo_name)
+	if !repo_name_ok {
+		return nil, err_unsafe_path
+	}
 	return git.PlainOpen(filepath.Join(config.Git.Root, group_name, repo_name+".git"))
 }
author	Runxi Yu <me@runxiyu.org>	2025-02-11 17:31:30 +0800
committer	Runxi Yu <me@runxiyu.org>	2025-02-11 17:31:30 +0800
commit	1486b0df1b04adc32e9207b836513226e8015b3e (patch)
tree	60e7b9cfdab457a92654c24150bbeb1658d10d29 /git_misc.go
parent	go.mod: Bump dependencies (diff)
download	forge-1486b0df1b04adc32e9207b836513226e8015b3e.tar.gz forge-1486b0df1b04adc32e9207b836513226e8015b3e.tar.zst forge-1486b0df1b04adc32e9207b836513226e8015b3e.zip