ssh/recv: Check hooksPath before receiving packs

1 files changed, 22 insertions, 0 deletions

diff --git a/ssh_handle_receive_pack.go b/ssh_handle_receive_pack.go
index af576bc..971d11c 100644
--- a/ssh_handle_receive_pack.go
+++ b/ssh_handle_receive_pack.go
@@ -7,11 +7,13 @@ import (
 	"os/exec"
 
 	glider_ssh "github.com/gliderlabs/ssh"
+	"github.com/go-git/go-git/v5"
 	"go.lindenii.runxiyu.org/lindenii-common/cmap"
 )
 
 type pack_to_hook_t struct {
 	session       glider_ssh.Session
+	repo          *git.Repository
 	pubkey        string
 	direct_access bool
 	repo_path     string
@@ -29,6 +31,25 @@ func ssh_handle_receive_pack(session glider_ssh.Session, pubkey string, repo_ide
 	if err != nil {
 		return err
 	}
+	repo, err := git.PlainOpen(repo_path)
+	if err != nil {
+		return err
+	}
+
+	repo_config, err := repo.Config()
+	if err != nil {
+		return err
+	}
+
+	repo_config_core := repo_config.Raw.Section("core")
+	if repo_config_core == nil {
+		return errors.New("Repository has no core section in config")
+	}
+
+	hooksPath := repo_config_core.OptionAll("hooksPath")
+	if len(hooksPath) != 1 || hooksPath[0] != config.Hooks.Execs {
+		return errors.New("Repository has hooksPath set to an unexpected value")
+	}
 
 	if !direct_access {
 		switch contrib_requirements {
@@ -73,6 +94,7 @@ func ssh_handle_receive_pack(session glider_ssh.Session, pubkey string, repo_ide
 		repo_id:       repo_id,
 		group_name:    group_name,
 		repo_name:     repo_name,
+		repo:          repo,
 	})
 	defer pack_to_hook_by_cookie.Delete(cookie)
 	// The Delete won't execute until proc.Wait returns unless something