diff --git a/zero-point/core-channel/revive-guard/repo-authorization-guard.py b/zero-point/core-channel/revive-guard/repo-authorization-guard.py index 7f7ee09..1bb9e0c 100755 --- a/zero-point/core-channel/revive-guard/repo-authorization-guard.py +++ b/zero-point/core-channel/revive-guard/repo-authorization-guard.py @@ -12,7 +12,13 @@ GRANT_DIR = os.environ.get("REPO_AUTHORIZATION_DIR", "/var/lib/guanghu/repo-auth def normalize_repo(value): value = value.strip().lower().removesuffix(".git") match = re.search(r"(?:gitea-repositories|repositories)/([^/]+/[^/]+)$", value) - return match.group(1) if match else value + if match: + return match.group(1) + # Forgejo's hook environment may expose only the repository name. + # This instance is single-owner and the allowlist below remains authoritative. + if re.fullmatch(r"[a-z0-9._-]+", value): + return f"bingshuo/{value}" + return value def check(repo, now=None): diff --git a/zero-point/core-channel/revive-guard/repo-authorization-guard.test.py b/zero-point/core-channel/revive-guard/repo-authorization-guard.test.py index be9e164..bc3c8f4 100644 --- a/zero-point/core-channel/revive-guard/repo-authorization-guard.test.py +++ b/zero-point/core-channel/revive-guard/repo-authorization-guard.test.py @@ -26,6 +26,7 @@ class RepoAuthorizationGuardTests(unittest.TestCase): try: with open(os.path.join(directory,"bingshuo__fifth-domain.json"),"w") as handle: json.dump({"repo":"bingshuo/fifth-domain","target":"JD-FD-PRIMARY","expires_at":200}, handle) self.assertEqual(MOD.check("/var/lib/gitea/repositories/bingshuo/fifth-domain.git",100),(True,"ok")) + self.assertEqual(MOD.check("fifth-domain",100),(True,"ok")) finally: MOD.GRANT_DIR = old if __name__ == "__main__": unittest.main()