fix: bind Forgejo hook repository scope
This commit is contained in:
parent
4bc8133218
commit
5c02c27467
@ -12,7 +12,13 @@ GRANT_DIR = os.environ.get("REPO_AUTHORIZATION_DIR", "/var/lib/guanghu/repo-auth
|
||||
def normalize_repo(value):
|
||||
value = value.strip().lower().removesuffix(".git")
|
||||
match = re.search(r"(?:gitea-repositories|repositories)/([^/]+/[^/]+)$", value)
|
||||
return match.group(1) if match else value
|
||||
if match:
|
||||
return match.group(1)
|
||||
# Forgejo's hook environment may expose only the repository name.
|
||||
# This instance is single-owner and the allowlist below remains authoritative.
|
||||
if re.fullmatch(r"[a-z0-9._-]+", value):
|
||||
return f"bingshuo/{value}"
|
||||
return value
|
||||
|
||||
|
||||
def check(repo, now=None):
|
||||
|
||||
@ -26,6 +26,7 @@ class RepoAuthorizationGuardTests(unittest.TestCase):
|
||||
try:
|
||||
with open(os.path.join(directory,"bingshuo__fifth-domain.json"),"w") as handle: json.dump({"repo":"bingshuo/fifth-domain","target":"JD-FD-PRIMARY","expires_at":200}, handle)
|
||||
self.assertEqual(MOD.check("/var/lib/gitea/repositories/bingshuo/fifth-domain.git",100),(True,"ok"))
|
||||
self.assertEqual(MOD.check("fifth-domain",100),(True,"ok"))
|
||||
finally: MOD.GRANT_DIR = old
|
||||
|
||||
if __name__ == "__main__": unittest.main()
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user